Proving the Correctness of GNAT Light Runtime Library
- Track: Ada devroom
- Room: D.ada
- Day: Sunday
- Start: 16:25
- End: 17:05
- Video with Q&A: D.ada
- Video only: D.ada
- Chat: Join the conversation!
As a programming language, Ada offers a number of features that require runtime support, e.g. exception propagation or concurrency (tasks, protected objects). The GNAT compiler implements this support in its runtime library, which comes in a number of different flavors, with more or less capability. The GNAT light runtime library is a version of the runtime library targeted at embedded platforms and certification, with an Operating System or without it (baremetal). It contains around 180 units focused mostly on I/O, numerics, text manipulation, memory operations.
Variants of the GNAT light runtime library have been certified for use at the highest levels of criticality in several industrial domains: avionics (DO-178), space (ECSS-E-ST40C), railway (EN 50128), automotive (ISO-26262). Details vary across certification regimes, but the common approach to certification used today is based on written requirements traced to corresponding tests, supported by test coverage analysis. Despite this strict certification process, some bugs were found in the past in the code. An ongoing project at AdaCore is applying formal proof with SPARK to the light runtime units, in order to prove their correctness: that the code is free of runtime errors, and that it satisfies its functional specifications.
So far, 30 units (out of 180) have been proved, and a few bugs fixed along the way (including a security vulnerability). In this talk, I will describe the approach followed, what was achieved, and what we expect to achieve.
Speakers
Yannick Moy |