Slashdot Mirror

← Back to Stories (view on slashdot.org)

High Integrity Software

Posted by timothy on from the tensegrity dept.

Jack Ganssle writes "High Integrity Software: the title alone got me interested in this book by John Barnes. Subtitled "The SPARK Approach to Safety and Security," the book is a description of the SPARK programming language's syntax and rationale. The very first page quotes C.A.R Hoare's famous and profound statement:'There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.' This meme has always rung true, and is one measure I use when looking at the quality of code. It's the basis of the SPARK philosophy." Read on for more of Ganssle's review of the book, and some more on the SPARK language. High Integrity Software author John Barnes pages 448 publisher Addison-Wesley rating 8 reviewer Jack Ganssle ISBN 0321136160 summary The book describes a language that insures programs are inherently correct.

What is SPARK? It's a language, a subset of Ada that will run on any Ada compiler, with extensions that automated tools can analyze to prove the correctness of programs. As the author says in his Preface, "I would like my programs to work without spending ages debugging the wretched things." SPARK is designed to minimize debugging time (which averages 50% of a project's duration in most cases).

SPARK relies on Ada's idea of "programming by contract," which separates the ability to describe a software interface (the contract) from its implementation (the code). This permits each to be compiled and analyzed separately.

It specifically attempts to insure the program is correct as built, in contrast to modern Agile methods which stress cranking a lot of code fast and then making it work via testing. Though Agility is appealing in some areas, I believe that, especially for safety critical system, focus on careful design and implementation beats a code-centric view hands down.

SPARK mandates adding numerous instrumentation constructs to the code for the sake of analysis. An example from the book:

Procedure Add(X: In Integer);

--#global in out Total;

--#post Total=Total~ + X;

--#pre X > 0;

The procedure definition statement is pure Ada, but the following three statements SPARK-specific tags. The first tells the analysis tool that the only global used is Total, and that it's both an input and output variable. The next tag tells the tool how the procedure will use and modify Total. Finally a precondition is specified for the passed argument X.

Wow! Sounds like a TON of work! Not only do we have to write all of the normal code, we're also constructing an almost parallel pseudo-execution stream for the analysis tool. But isn't this what we do (much more crudely) when building unit tests? In effect we're putting the system specification into the code, in a clear manner that the tool can use to automatically check against the code. What a powerful and interesting idea!

And it's similar to some approaches we already use, like strong typing and function prototyping (though God knows C mandates nothing and encourages any level of software anarchy).

There's no dynamic memory usage in SPARK -- not that malloc() is inherently evil, but because use of those sorts of constructs can't be automatically analyzed. SPARK's philosophy is one of provable correctness. Again -- WOW!

SPARK isn't perfect, of course. It's possible for a code terrorist to cheat the language, defining, for instance, that all globals are used everywhere as in and out parameters. A good program of code inspections would serve as a valuable deterrent to lazy abuse. And it is very wordy; in some cases the excess of instrumentation seems to make the software less readable. Yet SPARK is still concise compared to, say, the specifications document. Where C allows a starkness that makes code incomprehensible, SPARK lies in a domain between absolute computerese and some level of embedded specification.

The book has some flaws: it assumes the reader knows Ada, or can at least stumble through the language. That's not a valid assumption any more. And I'd like to see real-life examples of SPARK's successes, though there's more info on that at www.sparkada.com.

I found myself making hundreds of comments and annotations in the book, underlining powerful points and turning down corners of pages I wanted to reread and think about more deeply.

A great deal of the book covers SPARK's syntax and the use of the automated analysis tools. If you're not planning to actually use the language, your eyes may glaze over in these chapters. But Part 1 of the tome, the first 80 pages which describes the philosophy and fundamentals of the language and the tools, is breathtaking. I'd love to see Mr. Barnes publish just this section as a manifesto of sorts, a document for advocates of great software to rally around. For I fear the real issue facing software development today is a focus on code ueber alles, versus creating provably correct code from the outset.

You can purchase High Integrity Software from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, carefully read the book review guidelines, then visit the submission page.

68 of 238 comments (clear)

  1. hmmm by Anonymous Coward · · Score: 5, Funny

    The very first page quotes C.A.R Hoare's famous and profound statement

    Not to be confused with C.A.M. Hoare's famous and profound statement: "Want to see my boobies?"

  2. question by Anonymous Coward · · Score: 5, Insightful
    Do these authors actually employ the mentioned practices with any success on a daily basis?

    Or do they sit around thinking of methodologies to write books about?

    Those who can, do, those who can't, teach?

    1. Re:question by DrEldarion · · Score: 3, Insightful

      Those who can, do, those who can't, teach?

      Those who can't teach, teach theory.

    2. Re:question by deepchasm · · Score: 4, Informative

      Yes, they do.

      SPARK Ada came from Praxis Critical Systems. (http://www.praxis-cs.co.uk/). Go take a look. You can read about how SPARK Ada is used in things like aircraft, and (increasingly) in the automotive industry.

    3. Re:question by Anonymous Coward · · Score: 2, Funny

      | Do these authors actually employ the mentioned practices with any success on a daily basis?

      Yes. And I regularly see job adverts specifying SPARK.

    4. Re:question by AdaDaddy · · Score: 2, Interesting

      Actually, yes.
      These people have successfully used SPARK on many projects. They also provide the tools making the SPARK approach feasible.

      The SPARK approach causes discomfort for many software developers because its approach diverges from that of the various agile development processes.

      If you read the book you will discover that the author's claims are supported by real data from real projects.

      The SPARK approach is extremely formal. It has frequently been used on the safety critical portions of larger systems.

      Remember that SPARK is intended for use primarily on real time safety critical systems. Such systems control energy sources. Failure of such systems carries a high probability of injury or death to people.

  3. A _review_? by Caine · · Score: 5, Insightful

    Seriously, I'm not one to complain, but this isn't a review; it's a guy saying "WOW" repeatedly.

    1. Re:A _review_? by InternationalCow · · Score: 3, Interesting

      You're right. I still do not know whether or not this book is any good if you're interested in SPARK or Ada and want to learn. Wow. This is not a review but a rave. However, the author obviously knows what he's talking about so I would welcome an actual review on Slashdot.

      --
      ----- One learns to itch where one can scratch.
    2. Re:A _review_? by Anonymous Coward · · Score: 2, Interesting

      He says it exactly twice. Seems like you ARE one to complain.

  4. heheh by grub · · Score: 4, Funny


    "High Integrity Software"

    SCO should adopt that as their motto. :)

    --
    Trolling is a art,
  5. But what.. by Anonymous Coward · · Score: 4, Insightful

    ..if the contract itself is wrong?

    1. Re:But what.. by happyfrogcow · · Score: 2, Insightful

      that's not the implementors primary concern, really. but if you have a design to begin with, atleast you can backtrack and see why the contract is wrong. change it, and implement the right contract.

    2. Re:But what.. by AlecC · · Score: 5, Insightful

      I agree that this is actually the problem. As I understand it, the high-reliability people have more-or-less solved the problem of enduring the code follows the specification (though at a cost that woul deter for less critical applications). But all this does is push the problem one level higher.

      In the early days of compilers, one of the claims for compilers was that they would make mistakes impossible. Of course, all they did was make one class of stupid assembler mistakes impossible.

      The reason for the verbosity of COBOL is the idea that it would be so like business English that management could read it, if not write it.

      Eash time we get a tool that removes one class of mistakes, all we do is increase the systen m complexity until the level of mistakes returns to the previous level of near-unacceptability. "Snafu" is the normal state of the programmers universe - it is only a case of how large a system you build before it all fouls up.

      Having said that, Design By Contract is a good idea. While accepting that it is always going to turn to ratshit, you might as well do so at a higher level as a lower one. However, it isn't new: look at Eiffel and Aspect Java for instance.

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    3. Re:But what.. by bcrowell · · Score: 4, Insightful
      As I understand it, the high-reliability people have more-or-less solved the problem of enduring the code follows the specification (though at a cost that woul deter for less critical applications).
      Yeah, the article's statement, "The book describes a language that insures programs are inherently correct," is really misleading. Very few real-world programs have ever been proved correct, and the reasons for that are language-independent. Very few real-world problems even lend themselves to a precise mathematical statement of what "correct" would mean. What would it mean for mozilla to be "correct?" Even if your code is running a nuclear reactor, the code can only be as "correct" as the accuracy of the assumptions and engineering data that went into the spec.

      In many real-life projects, the nastiest bugs come from requirements that change after the first version has already been written. Proving that a program correctly implements a spec doesn't help if the spec changes.

      --
      Find free books.
    4. Re:But what.. by Waffle+Iron · · Score: 3, Insightful
      ..if the contract itself is wrong?

      That's the beauty of this system. You can close out the issue in your bug tracking database anyway:

      "CLOSED: Not a bug; behavior as designed."

    5. Re:But what.. by Mikkeles · · Score: 2, Informative
      SPARK only covers programme verification. There are other formal methods which cover specification (e.g. Z) as well as various theorem provers which can link all these parts together to ensure no contradictions, etc.

      A search on Google for formal methods will give you a lot of stuff. The first site that comes up is a good starting point.

      Note that at some point, one has to hope that what the client wants is what he has described. A tax calculation programme will not be of use if he really wanted a customer relations management system :^)

      --
      Great minds think alike; fools seldom differ.
    6. Re:But what.. by Beryllium+Sphere(tm) · · Score: 3, Informative

      >.if the contract itself is wrong?

      In real life that's what usually kills people.

      _Safeware_ by Nancy Leveson looked at several software-related disasters. Only one disaster, the Therac radiation machine that fried several patients, was the result of actual bugs (and those bugs were race conditions). The rest consisted of software obediently and disastrously doing exactly what it was supposed to do, like the black lab at #7 in http://www.dorsai.org/~walts/darwin.html.

      If you build safety-critical software be sure to have some organized way to flush out what-if questions and hidden assumptions.

  6. Car Whores? by SirChris · · Score: 2, Funny

    I thought car whores are the girl who pose for all the car magazines. Or the ones that sleep with the guy with the coolest car.

  7. public class interfaces by Anonymous Coward · · Score: 2, Interesting

    Ok, I know nothing about SPARK, so forgive my ignorance. Why is the "contract" paradigm different from standard object oriented languages with public class interfaces?

    1. Re:public class interfaces by happyfrogcow · · Score: 4, Insightful

      Ok, I know nothing about SPARK, so forgive my ignorance.

      me neither, me too...

      my understanding is that the contract has hard requirements on specific input and specific output for results. all of which are defined prior to executing that code. something like "we require an incomming integer with a value that is between zero and fifteen. we gaurantee that an integer value will be returned that is either zero or one"

      with a public class interface you can write a peice of code that does this, but it won't gaurantee anything. it's up to the developer to exhaustively test all situations and make sure that it happens. in a contract based language, i would guess that the program either won't compile, won't run, or will fail in obvious ways in the development stage if the requirements are not met. i'm not sure how they handle requirements that aren't met.

    2. Re:public class interfaces by William+Tanksley · · Score: 4, Informative

      Design By Contract was not invented by SPARK; the name was popularised by Bertrand Meyer, who added it to his "Eiffel" language.

      Anyhow, DBC is totally distinct from object orientation. In DBC, each component in your software comes with a "contract" that states "if I am called when the _preconditions_ are true, I promise that after I run the _postconditions_ will be true."

      The preconditions and postconditions are a group of logical statements, hopefully ones which are useful to your program :-).

      Let me give a little example.

      function: sqrt( x )
      preconditions:
      - integer (x)
      - positive (x)
      postconditions:
      - result > 0
      - result * result x

      Do you see what's happening there? Without knowing /anything/ about how sqrt is computed, you can use it in powerful ways. Preconditions and postconditions can't always be as informative as the ones above are (the ones above define everything about the integer sqrt function), but they can give useful information.

      Adding in object orientation support to DBC is a little more complex, but I won't go into that unless asked.

      Traditional DBC systems, including Eiffel, couldn't verify your contracts, so most of them would translate the contracts into code, and include that code in the executable; if a contract failed, the code would throw an exception or otherwise fail. SPARK is interesting because it can detect contract failures without running the code; it can also detect when your contracts fail to promise enough.

      -Billy

    3. Re:public class interfaces by iabervon · · Score: 2, Interesting

      You don't really mean public class interfaces (per se), you mean function prototypes, which are available in C (for example). The difference is really that you can specify arbitrary information about what the function is supposed to do, rather than just a few particular things. E.g., the usual API for mod is something like

      int mod(int num, int den)

      This lets you add

      den != 0

      (den = 0)

      Then the compiler could automatically write the check for division by 0, and could optimize it out in cases when it can statically prove it is unnecessary.

      Of course, it's easy to get excessive in writing the contracts, such that the contracts are no simpler or more informative than the implementation. The trick is to have your contracts specify inportant information about the behavior of the code without going into so much detail that the contract is unclear to the user or not what you intended.

    4. Re:public class interfaces by gewalker · · Score: 2, Insightful

      I'm not so sure about Eiffel. In Eiffel, you can declare class invariants, which are contracts that must apply to your class and all inherited classes. Sounds like it includes OOPL contracts to me. Eiffel also has loop invarints.

      Anyway, I see nothing new in DBC in SPARK not already in Eiffel.

    5. Re:public class interfaces by Fearless+Freep · · Score: 2, Informative

      Or more like Eiffel with pre and post conditions, etc...

      or a ot of other languages with data validation written at the begging and ending of each method

    6. Re:public class interfaces by arn@lesto · · Score: 2, Insightful

      The problem with contract programming is that most people are incredibly bad at describing preconditions and postconditions. They either over specify or worse leave something out; the result is that the contract is invalid.

      The code gets written and it turns out to have bugs anyway. We go back to examine everything and notice missing details in the contracts. We fix those problems, the code gets re-written and the cycle continues. In the end we've not achieved much in the way of program correctness, efficiency of code, or reduction of the programers time.

      Trivial examples all show the benifits of whatever new language feature has been added. It's really only after significant use and experience that we can judge how good something is in a large scale appplication.

      I remember getting excited about the "Z specification" language in 1986, but in the end it was just too damn
      hard for everyone. The programs were absolutely correct but if you wanted to change something later, you were back to square one. Forget about anything large involving multiple people.

      Correctness isn't always necessary, some times good enough is all that is required. If you want to spend a couple of months proving that your implementation of sqrt() is correct I hope you have the funding (I see government money... enough said). Most of us can't afford this level of correctness.

      Give me a sandbox, lego bricks, and let me play.. go away I don't like your rules.

      --
      - AndrewN
  8. What horseshit by Anonymous Coward · · Score: 4, Insightful
    The book describes a language that insures programs are inherently correct.

    Now, is there a language to ensure that your boss asks you to program the right thing?

  9. References to the story by SamiousHaze · · Score: 5, Informative

    In General, if you want info, RTFA. However for those of you who just want some links to check things out quickly:

    Hereis a PDF that contains samble chapters of the book reviewed.

    Also from the same site is the following text and links for those of you wanting "real world examples":

    "Industrial Experience with SPARK (PDF 234kb) Dr. Roderick Chapman, Praxis Critical Systems Limted. Presented at ACM SigAda 2000 conference. This paper discusses three large, real-world projects (C130J, SHOLIS and the MULTOS CA) where SPARK has made a contribution to meeting stringent software engineering standards. "

  10. "no obvious deficiencies" by tcopeland · · Score: 5, Funny
    Cue Hitchhiker's Guide on the Sirius Cybernetics Corporation:
    In other words - and this is the rock solid principle on which the whole of the Corporation's Galaxy-wide success is founded - their fundamental design flaws are completely hidden by their superficial design flaws.
    --
    The Army reading list
  11. Wrong order - first test, than code by tcopeland · · Score: 5, Insightful
    modern Agile methods which stress cranking a lot of code fast and then making it work via testing.
    No, instead, they stress writing a test, then writing code to make the test pass. Big difference there.
    --
    The Army reading list
  12. Eurofighter by Anonymous Coward · · Score: 5, Informative

    SPARK is used heavily in the safety critical software in the Eurofighter amongst other projects. It is a complete pain to type all of the annotation, takes forever to run the tool and it very rarely comes up with any real problems in the code. I would pay good money never to have to go near it again. It was used to meet contractual requirements, not engineering requirements.

    One neat trick is to generate a large proportion of the annotation from the output error messages. Sort of defeats using the tool though but since it doesn't find much anyway the time freed up can be used to do some real testing.

    1. Re:Eurofighter by tcopeland · · Score: 3, Interesting

      > It was used to meet contractual
      > requirements, not engineering requirements.

      There be dragons.

      > One neat trick is to generate a large
      > proportion of the annotation from the
      > output error messages

      That's classic. It makes sense, though - kind of like running a code reformatter rather than running a "code format checker". Every night, the code gets reformatted to meet the style guide... no nagging emails, just silent enforcement.

      --
      The Army reading list
    2. Re:Eurofighter by Anonymous Coward · · Score: 2, Interesting

      The people who wrote the contract might have a different opinion. It seems to me I could claim cutting corners on the kind of cement wasn't important and just a contractual obligation not a design consideration. Are you saying that you can get the exact same kind of fault tolerance as a correctly used spark affords, and have the same level of confidence?

    3. Re:Eurofighter by SheldonYoung · · Score: 4, Insightful

      SPARK is used heavily in the safety critical software in the Eurofighter amongst other projects. It is a complete pain to type all of the annotation, takes forever to run the tool and it very rarely comes up with any real problems in the code.

      This type of unprofessional crap is the reason people have such low expectations of software. You didn't want to use the tool because it was a "pain to type"?! If the length of time it takes you to type your code is a bottleneck then you're not doing enough thinking before you type. The extar effort requierd to type more verbose code is close to zero. You're coming across like an aeronatical engineer would if they tightened a critical bolt to only 90% of the required torque because it was less effort.

      By saying very rarely comes up with any real problems" means it found some, and those problems may have been easily been overlooked by other types of testing. And what are problems wouldn't be "real" in saefty critical code?! Yes, there are other tools besides SPARK that could have been used but the principles should have been the same.

      Don't ever forget you're talking about a serious piece of hardware and there's a human being sitting in the pointy end. If I was a pilot of something that had a bug in it's safety critical software because of your lack of pride I would kick your ass.

    4. Re:Eurofighter by yermoungder · · Score: 5, Interesting

      Your experience flies (sorry! :-) in the face of the analysis done by LockheadMartin at Aerosystems International then... They discovered the delivered Ada projects had a defect rate 1/10 that of delivered C projects and delivered SPARK projects had a defect rate 1/10 that of Ada! 1% of all defects found has safety implications.

    5. Re:Eurofighter by Theodrake · · Score: 2, Interesting

      The real nightmare comes when the specification changes. So instead of just changing your code. You have to also change this psuedo code, oops contract. Plus I'm guessing you still have end-to-end tests, all of which get rewritten. All this may eliminate are the unit tests, which for me were the easiest to code and in many cases a visual inspection would do. Now you have to maintain this contract and your code. Seems like more trouble then it is worth.

    6. Re:Eurofighter by daksis · · Score: 2, Interesting
      This type of unprofessional crap is the reason people have such low expectations of software.

      I think people have such low expectations of software because for the most part, software doesn't meet their expectations, and the expectations people have of software are often unrealistic. Software is like everything else - built with the trade off of cost versus utility.

    7. Re:Eurofighter by Doctor+Faustus · · Score: 2, Interesting

      They discovered the delivered Ada projects had a defect rate 1/10 that...

      Lockheed has done some really cool things over the years, but I just don't buy this. If they could positively identify the defect rates of these programs, they could just get rid of the bugs in the first place, in the SPARK projects *and* in the C projects. It's more likely they've got some sort of automated checked that catches exactly the same sort of thing that SPARK itself does.

      Really, it looks like the SPARK program basically consists of the same program written twice, with the two versions compared for mismatches. This may be a useful tool, but it will only catch low-level errors. It would be more useful to write the program twice with different designs (and different teams), run them both, and report on when they came out with different answers.

  13. Ok... by dioscaido · · Score: 2

    I would have been interested if all this instrumentation had been grafted onto a language like Java, or C++. But to have to switch to Ada just to be able to add in instrumentation that helps in code analysis? It's also funny that he WOW's at the idea of no dynamic memory allocation... Why not just use a type safe language?

    1. Re:Ok... by William+Tanksley · · Score: 3, Informative

      Two statements there.

      I would have been interested if all this instrumentation had been grafted onto a language like Java, or C++. But to have to switch to Ada just to be able to add in instrumentation that helps in code analysis?

      Switching languages is a tiny effort compared to the change required to design your code for static validation. The SPARK people strongly recommend against trying to "switch" to SPARK; if you want the benefits, you have to code with it from the start. It's kind of like taking a 100,000 line C program written by 30 programmers over 10 years and trying to "switch" it to C++ -- it's theoretically possible, but in practice it's easier to start over.

      And what they did in Ada would have been impossible in C++. It's significant that SPARK code will run EXACTLY the same on all compliant Ada compilers. No platform dependancies, no ambiguities, no undefined behavior... ALWAYS the same. You simply can't possibly define a subset of C++ which would be able to make those promises. I don't know if it would be possible with Java; since there's no formal specification of Java, probably not.

      It's also funny that he WOW's at the idea of no dynamic memory allocation...

      I felt that way too :-). Odd.

      The reason they did it is simple, though -- they wanted to be able to set absolute bounds on when a SPARK program will or will not fail (throw an exception). There's no way to do that with dynamic memory allocation as it's defined in Ada and most other languages.

      Yes, that's limiting; no argument. But for some problems, particularly ones solvable by programs managing their own memory, the limitation doesn't matter compared to the benefits -- a SPARK program can execute without any runtime support code.

      Why not just use a type safe language?

      No such thing -- type safety is an uncomputable problem.

      If you meant strongly typed, that's easy; Ada was already strongly typed. SPARK just guerantees that the programs will always run the same, and SPARK's verifier guarantees that the types are chosen and described correctly.

      -Billy

    2. Re:Ok... by wintermute42 · · Score: 2, Insightful

      And what they did in Ada would have been impossible in C++. It's significant that SPARK code will run EXACTLY the same on all compliant Ada compilers. No platform dependancies, no ambiguities, no undefined behavior... ALWAYS the same. You simply can't possibly define a subset of C++ which would be able to make those promises. I don't know if it would be possible with Java; since there's no formal specification of Java, probably not.


      I'm not sure what you meant by formal specification here. As I recall someone did a huge denotational semantic specification of Ada. In theory this massive specification defined exactly what Ada's semantics are. The only problem is that such a specification is, in practice, useless. For even simple constructs, the denotational semantic description is huge. And as with any formalism, there is always the opportunity for error. Given the complexity of denotational semantics I suspect that few people other than the author ever read the whole thing.

      So that fact that Ada had DoD funding for a denotational semantic specification and Java does not does have such a specification does not make Ada more portable and reliable (in the sense that a piece of code will produce the same result on different platforms).

      The idea of adding assertions and other formal descriptions of the intended semantics has some merit. But the realization is SPARC is unfortunate.

      As I recall, the gang at Sun who did Java mentioned that they used C/C++ as the basis for Java because they wanted the language to be used. Choosing Ada as the basis for anything guarantees that few people will use it. The module paradigm for languages (used by Ada and Modula-2) is not as powerful as the object model. This is one reason that C++/Java have caught on and Ada/Modula-2 are consigned to history.

      Finally, just because you have a specification and code that exactly implements this specification does not mean that the application will not result in unintended results (e.g., the death of users or others). Frequently the problems encountered with software are a result of conditions that the designers did not forsee. That is, things that were not defined in the specification.

    3. Re:Ok... by yermoungder · · Score: 2, Interesting

      Or the companies who want to save money by not having to do so many man-hour hungry unit tests or post-release bug fixes... LockheadMartin have presented project using the highest level of DO-178B as cost 1/4 of (yes, "of" not "off") of similar non-Level A projects. There were many reasons for that, of course, but I'm sure that SPARK and similar tools played their part.

    4. Re:Ok... by wintermute42 · · Score: 2, Funny

      Yes, I admit it! It's true that I have not kept up with developments in Ada. I'm still scared by horror inflicted by the original version. And the trauma produced by the Ada design philosophy which produced languages like VHDL.

      OK, so they added objects, interfaces and other wonders of modern languages. But it still does not change the fact that Ada is not exactly in the main stream. To continue my walk out on the limbs of issues with which I am only shallowly familiar, I'll speculate that very few people would use Ada if it was not mandated by their sponsors (e.g., the Dept. of Defense).

  14. Theorem proving languages by Believe · · Score: 2, Informative

    This sounds a bit like Alloy. Alloy is both a code modelling language (like UML), but structured in such a way that the model can be analysed automatically using SAT solvers (yeah, I didn't know what those were at first either. Here's a site with some good info on them).

    Alloy's cool because you can use it to model code at a very abstract, high level (much like SPARK, it seems), although with Alloy you aren't tied to any specific language. The downside is that since the model isn't embedded in the code it's more useful as a design tool than something which will "guarantee" correctness every time you compile.

    1. Re:Theorem proving languages by killjoe · · Score: 2, Insightful

      It also sounds exactly like Eiffel.

      This industried ability to continually re-invent the wheel never ceases to amaze me.

      Let's go back to lisp and smalltalk every frikken language since then is just a rewrite of one or the other anyway.

      --
      evil is as evil does
  15. Programming by Contract? by RAMMS+EIN · · Score: 3, Insightful

    SPARK mandates adding numerous instrumentation constructs to the code for the sake of analysis. An example from the book:

    Procedure Add(X: In Integer);

    --#global in out Total;

    --#post Total=Total~ + X;

    --#pre X > 0;


    This seems rather a waste of time. You either first describe exactly what the code does, then write the code, or you write a simplification of what the code does, then the code.

    In the first case, you write the exact same thing twice, in different languages. That sounds like an immense waste of time to me.

    In the second case, your specification does not cover every aspect, which introduces loopholes, defeating the purpose of the contract.

    In either case, you get in trouble if there are errors in the contract.
    --
    Please correct me if I got my facts wrong.
    1. Re:Programming by Contract? by pedantic+bore · · Score: 2, Interesting
      This is a very simple case, and so it is not surprising that the contract and the code look similar. The proof of the pudding is whether this works for non-trivial specifications and algorithms.

      For example, will this work with your favorite sorting algorithm? Presumably all sorting algorithms for sets drawn from a given domain will have the same pre and post conditions, but very different algorithms.

      --
      Am I part of the core demographic for Swedish Fish?
    2. Re:Programming by Contract? by Flamerule · · Score: 3, Interesting
      SPARK mandates adding numerous instrumentation constructs to the code for the sake of analysis.
      This seems rather a waste of time. You either first describe exactly what the code does, then write the code, or you write a simplification of what the code does, then the code.
      I'm not an expert on any of this stuff, but allow me to point out the misunderstanding I think you're operating under. Programming by contract isn't concerned with what the code does inside a function, per se. It simply tries to ensure that a function adheres to its contract conditions on expected input/output. Pre/post conditions... you know. So a function, on beginning execution, can expect the program state it is given to obey the precondition properties. In turn, on ending execution, the function must leave the program state as specified by the postcondition.
      In the first case, you write the exact same thing twice, in different languages. That sounds like an immense waste of time to me.
      No, you don't specify everything the code does.
      In the second case, your specification does not cover every aspect, which introduces loopholes, defeating the purpose of the contract.
      As I said, the contract isn't a "simplification" of the code. But anyway, you're kind of saying here that this technique doesn't totally prevent all mistakes, so it's worthless. Harsh.
      In either case, you get in trouble if there are errors in the contract.
      Clearly. I think it's useful to explicitly detail the contract, however. It forces you to think about something you might not have considered otherwise.
    3. Re:Programming by Contract? by William+Tanksley · · Score: 3, Interesting
      This seems rather a waste of time. You either first describe exactly what the code does, then write the code, or you write a simplification of what the code does, then the code.

      It's not a waste of time to describe what a function does. It's essential to keep "what" a function does distinct from "how" it does it. That's the whole point of interface versus implementation.

      Consider a function with the following contract:
      function: sqrt( x )
      preconditions:
      - integer (x)
      - positive (x)
      postconditions:
      - result > 0
      - result * result <= x
      - (result+1) * (result+1) > x
      Now, can you see how that's useful? And do you see that this tells you something _completely_ different than what you'd know if you read the actual source code for that function (perhaps an implementation of Newton's method)?

      In the second case, your specification does not cover every aspect, which introduces loopholes, defeating the purpose of the contract.

      That's what SPARK's automatic verifier is for -- to prove that there are no loopholes.

      -Billy
    4. Re:Programming by Contract? by William+Tanksley · · Score: 2, Informative

      SPARK's assertions differ from C's because SPARK's are gueranteed to be complete and correct, otherwise the verifier won't let you past.

      You could, in theory, use to do design by contract, but you'd have to be very careful to put your assertions in the right places, make sure that none of them have side effects, and manually do a few other things that a DbC language automatically takes care of for you. It'd be risky, but it's possible. It becomes MUCH harder when you add object orientation, though; managing inheritance of invariants becomes very difficult.

      -Billy

  16. Free download of a similar system for Java by Animats · · Score: 5, Insightful
    We did this twenty years ago, for a dialect of Pascal. See Practical Program Verification. Back then, you could do it, but it was rather slow. Today, with machines thousands of times faster than the VAX 11/780 we used back then, it's much more feasible. But you need a language suitable for verification. C and C++ are hopeless - the semantics of the language are ambiguous. (Casts, pointer arithmetic, and "void *", make the typing system unreliable.) The Pascal/Modula/Ada family are suitable, with modifications and limitations. Eiffel and Sather do well, but few use them. Java, though, is both verifiable and widely used.

    The best available modern system for formal verification is the Extended Static Checking system for Java developed at DEC SRL. This was developed at DEC before HP shut down that research operation. It's still available as a free download.

    What all this machinery does is put teeth into "design by contract". With systems like this, you can tell if a function implements its contract, and you can tell if a caller complies with the contract of each thing they call. Before running the program.

    Developing in this mode means spending forever getting rid of the static analysis errors. Then, the program usually just runs. That's exactly what you want for embedded systems. But it's painful for low-grade programming like web site development, where "cosmetic errors" are tolerable and time-to-market matters more than correctness.

  17. Sounds like Resolve by etcshadow · · Score: 2, Interesting

    This sounds very much like (looks very much like, as well) a project that some of my professors were working on a few years back at Ohio State University, called Resolve C++. I also recall that they were working with another university (can't remember which... maybe U Penn?) on Resolve Ada.

    The basic idea was that they added a whole ton of syntactic sugar to C++ (not by structured comments, but by adding a bunch of key words that were #defined into nothing). I'm curious if this is related to that work at all. (At the time I was convinced that it was total crap, but several years of experience have shown me what they were trying to accomplish, if poorly.)

    --
    :Wq
    Not an editor command: Wq
  18. Why not make the tester the compiler? by 192939495969798999 · · Score: 2, Interesting

    Whatever the test application is doing to run those tests, why not just convert its output to an EXE/binary and use THAT as the program? Then you only have to write the tests to get both the test and the code that passes the test! That's copyright me, today, by the way.

    --
    stuff |
    1. Re:Why not make the tester the compiler? by tcopeland · · Score: 2, Informative
      > you only have to write the tests
      > to get both the test and the code that
      > passes the test!

      This came up on the Extreme Programming list a while back. I think the Java IDE IDEA does something like this, in that you can write a test and it'll generate the source code for the method signatures that you're trying to test. Then you fill in the implementation. *Disclaimer - I haven't used that feature so I don't know how well it works*

      One problem with this, though, is that code can pass a test but still be lousy. For example, say you've got a test case for a Stack:
      public void testStack() {
      Stack s = new Stack();
      assert(s.empty());
      s.push("hello");
      assert(s.pop().equals("hello"));
      }
      So the generator comes up with a Stack implementation - but the first thing it does is allocate a new array of size Integer.MAX_INT to hold the items. The tests pass... but memory usage is ridiculous.

      You could go at it by writing a genetic algorithm to evolve code that better fit the requirements... but I'm not sure that'd get you much further.

      Fun stuff!
      --
      The Army reading list
  19. Software deserves more respect by bigberk · · Score: 3, Interesting

    Crappy software is all around us (obviously). It may not seem like a huge tragedy that, say, Microsoft Windows has so many security problems but the unfortunate reality is that the entire Western Economy heavily relies upon software that is so fragile that fresh installations become compromised within minutes.

    Since so much of what we depend on these days is powered by software, I can't help but feel that industrial software development should be taken under the wing of Engineering. Why, you say? Well, professional fields like medicine, law, and engineering associate a duty to public safety with the job, and the regulatory bodies for the professions ensure that individuals who practice irresponsibly will lose their profesional status.

    There is no such accountability for software development. Look at Microsoft Windows, that our banks and governments rely upon! I think such a product would be much higher quality if the coders working on it were professionals and had to adhere to Codes; violating their professional duties would mean severe personal consequences. And the firm itself (Microsoft) would be legally liable if it produced a shoddy, dangerous product!

  20. using ada is enough by acomj · · Score: 4, Interesting

    I've been using ada for a little while now. Its actually a good language, with many features that provided self checking code. SPARK seems a bit excessive.

    For example ada already had constrained types (x :integer range 0..15) . If x goes above 15 or under 0 during runtime you get a constraint error.

    The ada compiler checks alot of things during compile time that I've never seen before.

  21. Ummmmm... by randombit · · Score: 3, Interesting

    One thing I note that the review does not mention is the fact that SPARK is, while Turing-complete, not very much fun to program in. Starting with Ada, a pretty B&D langauge to start with, SPARK removes all the remaining pointy bits, including: "the goto statement, aliasing, default parameters for subprograms (i.e. procedures and functions), side-effects in functions, recursion, tasks, user-defined exceptions, exception handlers and generics" (list taken from here, emphasis mine), plus dynamic allocation, which is mentioned in the review.

    Basically the only excuse you could possibly have for writing something in SPARK is extremely critical code (ie, if it fails, many people die). Even then I'd be skeptical it would provide much benefit, but at least it would provide some ass-covering ability. :)

    For a alternatve view of the practicality of correctness proofs, see chapter 4 of Peter Guttman's thesis. IIRC there was a book review of it on /. a while back (which I didn't read). Even if you did read it, read it again.

    "No programming language can save you from yourself."
    - Me

    1. Re:Ummmmm... by randombit · · Score: 2, Insightful

      Actually, I've seen a bunch of safety-critical systems that were written in Pascal or some godawful assembler

      My Dad hand-patches microcode on 60s-era safety systems in a chemical plant for a living. It's pretty intense. :)

      Perl is pretty far from a B&D language, but I'd sure hate to see an autopilot written in perl, no matter how productive or satisfied it made the coder.

      The happiness of the coder is not really the issue. If we could get safe, secure, reliable software by coding them in restrictive languages (or beating the programmers with sticks, whatever), then by all means we should, if it's worth what it will cost.

      The first problem is that nobody has any really convincing evidence that, all other things being equal (testing, design methods, skill of people involved, time/money available), SPARK or similiarly restricted languages actually gets you any meaningful improvment in security as compared to, say, Pascal, Ada95, C++, Java, O'Caml, or a similiarly "full of pointy bits" language.

      Secondly, the languages restrictions mean the programmers/designers have to spend more time (ie, money) working around the limitations of said language. It's economics. If a particular application (Word or Photoshop or your firewall or what have you), *never* crashed or failed in any way, would you be willing to pay 1000 times as much for it? 100x? 10x? Twice as much, even? For an autopilot, it might make sense. For 99% of the stuff that's out there, it doesn't (read Ross Anderson's papers on the economics of security for some good details on this area), because the cost of a failure (for the people writing/selling the code) is between zero and tiny, and the cost of making it not fail is high. It's cheaper to write crappy software, unless your legal/political liability is so fscking high that you *have* to make in safe.

  22. Newspeak by quixoticsycophant · · Score: 2, Interesting

    "Many computer scientists have fallen into the trap of trying to define languages like George Orwell's Newspeak, in which it is impossible to think bad thoughts. What they end up doing is killing the creativity of programming." --Larry Wall

    SPARK seems to be an extreme example. Though I've never used it, I venture to guess that in a quixotic effort to avoid all bugs SPARK only buries real bugs underneath a mountain of its own pedantry.

  23. Eiffel and Sather by Jecel+Assumpcao+Jr · · Score: 2, Informative

    People interested in this should also check out Eiffel and Sather as well.

  24. I needed this six months ago by spun · · Score: 3, Funny

    My last software project ran off with my wife, stole all my money, and crashed my new corvette. Damn! I really could have used this, instead I hired a bunch of Klingon programmers.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  25. IMHO the only way to go by Alwin+Henseler · · Score: 2, Insightful
    First thought I had here was another quote, probably saw it before somewhere on /.:
    "The true measure of a good coder is not how complex his code is, but how simple."

    Today's software systems become bigger, bigger, and bigger. Maybe single components are simplified, debugged or optimised, but not a system as a hole. The results we see today, in many systems, a single slip in one place, can screw up the entire system.

    IMHO the logical way to combat this, would be to design software using methods that can be formally proven to do what they're supposed to do. Such methods do exist.

    Today's security measures in operating systems (like running apps as non-root user under *nix) are in place at least for one reason: an assumption is made, that as a piece of software grows bigger, it's simply not possible to guarantee that there are no bugs in there, that it will always work as expected.

    That assumption is flawed: it is possible to design software such, that it always works as expected (hardware failures aside, that is). Doing so is just very hard. Not impossible.

    1. Re:IMHO the only way to go by Elbows · · Score: 2, Informative

      Having (briefly) done some research in program verification, I'd have to disagree with you.
      Proving non-trivial programs correct is nearly always intractable, if not strictly speaking impossible. We simply don't have the computing power to do it for larger programs, and (IMO) we probably never will.

  26. Re:Just a toy, or what? by yermoungder · · Score: 2, Informative

    Yes it is used extensively on the EuroFighter Typhoon aircraft, Airienne space rocket, Mondex cash cards, etc.

  27. Re:Proving sqrt() correctness? by Suslik · · Score: 4, Informative
    To prove the correctness of an (Integer) square root routine you would specify something like:

    procedure Sqrt(X : in Integer; Y : out Integer)
    --# derives Y from X;
    --# pre X >= 0;
    --# post (Y*Y <= X) and ((Y+1)*(Y+1) > X);

    i.e. Y, your sqrt, is no more than X when squared, but increase it by 1 and it is more than X. You require X to be non-negative.

    Assuming that your implementation implements an initial guess at Y and then repeatedly increments it, you would specify a loop invariant that shows that your guess at Y (say 'Z') is such that (Z+1)*(Z+1) For more information on what's practicable in a customer-specified system, read the peer-reviewed publications...

    Disclaimer: SPARK hacker for 6 years

    --
    Adi: Inveterate mathmo, Christian, BOFHlet hubbie and Perl lover.
  28. Homeland Security by yermoungder · · Score: 2, Insightful

    WRT: SPARK check out this report: http://www.cyberpartnership.org/SDLCFULL.pdf The report's task force was co-chaired by Microsoft and Computer Associates people and is being submitted to the DHS. It explicitly recommends SPARK as one method of increasing reliability/security. It also states "A programming language with significantly fewer possibilities for mistakes than C or C++ should be used where possible."

  29. Knuth said it best... by KurtP · · Score: 2, Interesting

    "Beware of bugs in the above code. I have only proven it correct, not tested it."

  30. Agile methods by JacobO · · Score: 2, Insightful

    in contrast to modern Agile methods which stress cranking a lot of code fast and then making it work via testing

    I have to disagree here, the agile methodologies I'm aware of stress automated unit testing to ensure the code that follows meets the specifications. They are agile because the "contract" enforced by the unit tests allow you to see what you have broken easily after a change. If your unit tests pass then you've either not broken anything or your test coverage is insufficient. It seems that these SPARK "tags" have some of the benefits and all the problems that a good suite of automated unit tests provides.

    I do however like the idea that your assumptions and dependencies are explicitly mentioned nearby where they occur. These are things that definitely sting you, especially in code you are new to (written by someone else.) All the little interdependencies and unexpected side-effects that make their way into code can really make life difficult sometimes.

    I have a feeling though that this would take discipline, and if all team members were skilled and disciplined then you would likely have much of these things stated anyway.

  31. Re:Check out D by krischik · · Score: 2, Interesting

    Yes D is interesting. Only, like Eiffel, it concentrates only on procedural contracts and lacks type contract.

    SPARC, being based on Ada does have type contracts:

    type Day_Of_Month is range 1 ..31;

    BTW: The example won't work. It does not take into account the fact that math.sqrt(x) only calculates an approximation - which is truncated to long. Correct examples have been posted before - by SPARC hackers.

    It is not a good sign that the D developers made such an obvious mistake.

    With Regards

    Martin