Development Log in categories SPARK Pro

  • SPARK Pro
    Oct 27th, 2016

    Better handling of always-fail subprograms
    Subprograms where all possible execution paths end in an exception are now dealt with in a more obvious fashion. Instead of raising many checks and warnings, we now emit only a single high check indicating that no path will return normally.

  • SPARK Pro
    Oct 20th, 2016

    level switch uses time limit instead of step limit
    The level switch used to provide a high level way of tuning the verification condition now sets time limits instead of step limits for provers. As a result, this switch is more predictable, as it always allows each prover to run for the same amount of time, but less deterministic, as the time needed for a prover to complete a proof may vary depending on the computer.

  • SPARK Pro
    Sep 29th, 2016

    Integration of Codepeer Technology into SPARK
    The CodePeer Static Analysis engine is now part of the SPARK tools. It can be enabled using the command line switch --codepeer=on, or selected via a new checkbox in the SPARK integration inside GPS. If this is done, SPARK will run the CodePeer engine prior to its own analysis to discharge checks. Depending on the project and kinds of checks, this can result in more proved checks, or quicker completion of analysis, because SPARK doesn't need to analyze some checks already proved by the CodePeer analysis. The strong point of the CodePeer static analysis are ranges of variables, including floating-point variables. As a result, proof of runtime checks will be improved if the CodePeer engine is used.

  • SPARK Pro
    Sep 29th, 2016

    Ability to replay proofs using SPARK
    The SPARK tools now support a new switch --replay. If this switch is passed to GNATprove, it will attempt to replay the proofs of all checks that are marked as proved in the proof session, using for each VC the same prover that succeeded in proving it, and a time and steps limits that were sufficient to make the proof succeed. This feature provides an efficient way of checking that all proofs still go through, e.g. after an upgrade of the SPARK tools.

  • SPARK Pro
    Sep 28th, 2016

    Use SMT-LIB float theory with prover Z3
    GNATprove can now benefit from SMT solvers with native floating- point support. In particular GNATprove uses this support in prover Z3, which gives more precise results on floating-point programs.

  • SPARK Pro
    Sep 27th, 2016

    Support for type invariants
    The tools now have initial support for type invariants (SRM 7.3.2). A type invariant can be specified on the completion of a private type. This invariant can be assumed anywhere outside the package where the type is declared; and is checked inside the package. Type invariants are useful to simplify a common pattern where an invariant is added to the pre- and post-conditions of all subprograms in a package.

  • SPARK Pro
    Sep 22nd, 2016

    Better handling of ‘Length on modular index types
    The translation of the 'Length array attribute has been improved to avoid unecessary conversions when the index type is a modular integer type. This should improve provability whenever 'Length is used on a modular index type in contracts.

  • SPARK Pro
    Sep 9th, 2016

    Suppressed unnecessary warning message
    For a null default subprogram defined in the formal part of a generic unit, now GNATprove does not emit a warning about formal parameters of the subprogram being unused and/or unmodified.

  • SPARK Pro
    Aug 29th, 2016

    Assume Initial_Condition of withed units
    When checking compilation units, we now assume that the Initial_Condition aspect of each withed unit holds. It results in more discharged verification conditions in particular on main units.

  • SPARK Pro
    Aug 29th, 2016

    Counterexamples involving quantified expressions
    Some counterexamples are now printed for universally quantified variables (in loop invariants for example).

  • SPARK Pro
    Aug 16th, 2016

    Improved documentation
    The UG section 8.6.4. Proof Limitations does now better document the support for storage place attributes. In particular, it states that First_Bit, Last_Bit and Position attributes are supported but in case there is no record representation clause then their value is assumed to be nonnegative.

  • SPARK Pro
    Aug 5th, 2016

    More fine-grain placement rules for pragma Annotate
    Previously, if pragma Annotate was placed e.g. at the start of a statement list, it would apply to the whole enclosing construct (e.g. an if statement including all branches and statements). Now it only applies to the range between the beginning of the enclosing statement and the pragma itself. This allows to e.g. apply a pragma Annotate to the condition of an if-statement, but not the other parts of the if-statement. Note that this may require changes to the placement of pragma Annotate in existing code, or more pragma Annotate than before.

  • SPARK Pro
    Aug 1st, 2016

    Support for GNAT attribute System’To_Address
    GNAT attribute System'To_Address, which is a static attribute equivalent to a call to System.Storage_Elements.To_Adress, is now supported.

  • SPARK Pro
    Jul 28th, 2016

    Improved precision on tagged conversion
    When a tagged type was converted, information about the value of its components was lost, and so, even when converting between types which are conceptually the same (tagged subtypes and derived types with null extension). Tagged conversion are now better handled in proof.

  • SPARK Pro
    Jul 21st, 2016

    Improve posting of SPARK violations
    SPARK violations are now posted on the entity that is not in SPARK rather than on the entity that will result not to be in SPARK for this violation. This is done for formal parameters of a function, return types of a function and indexes of an array.

  • SPARK Pro
    Jul 16th, 2016

    Take into account contracts on abstract subprograms
    When an abstract subprogram with a classwide contract is called from an annotation, its postcondition is now available for proof.

  • SPARK Pro
    Jul 15th, 2016

    More convenient support for Coq interactive prover
    Previously, to be able to use the Coq interactive prover with SPARK, it was required to create a why3.conf file with the appropriate configuration. Now, SPARK comes with the suitable configuration already included, and this extra step is not needed any more. The Coq prover still needs to be installed separately.

  • SPARK Pro
    Jul 15th, 2016

    New GPS panel for examine menu in spark2014 tab
    Menus 'Examine ...' in GPS now open a panel similar to the basic panel displayed for proof. In particular, it allows to choose between three modes of analysis: check, check all, and flow analysis.

  • SPARK Pro
    Jul 7th, 2016

    More fine-grained proof of checks using “and”
    Assertions, loop invariants and pre- and postconditions which consist of several parts combined with "and" or "and then", are now proved seperately by SPARK. This allows better reporting of which part of the check is unproved, and it also allows better interaction between provers, where one prover may be able to prove one part of the heck, and another one the remaining part.

  • SPARK Pro
    Jul 7th, 2016

    New mode which outputs current state of analysis
    Previously, finding out which checks are proved or unproved required rerunning the tools, which could take quite some time. We now have added a new check-box to the proof dialog which is opened after selecting the "Prove All", "Prove File" and similar menu entries. Selecting this check-box will run gnatprove as usual, but no provers will be run, only existing results will be used. In this way, this option provides a relatively quick way to assess what's currently proved and not proved. The same behavior can be achieved on the command line, by adding the switch --output-msg- only,

  • SPARK Pro
    Jul 6th, 2016

    Support for enumeration types in counterexamples
    The counterexamples output by GNATprove when a check is not proved now display correct enumeration literals for variables of enumeration types.

  • SPARK Pro
    Jun 23rd, 2016

    New check_all mode for GNATprove
    GNATprove now has a new mode for running the SPARK tools. This is the check_all mode, in which a full check of SPARK legality rules is done.

  • SPARK Pro
    Jun 16th, 2016

    Improved info messages on objects initialization
    Now we emit info messages for every constituent of an abstract state, including protected objects. Also, we only emit info messages on initialized objects if they are mentioned in an Initializes aspect.

  • SPARK Pro
    Jun 15th, 2016

    Entry guards are now taken into account
    GNATprove now also takes into account the boolean expression provided as a guard of an entry of a protected type. This was previously not the case.

  • SPARK Pro
    Jun 6th, 2016

    Support optional refinement in private part/child
    SPARK Reference Manual now allows refinement through the use of pragma or aspect Refined_Global and/or Refined_Depends in scopes where the full refinement of an abstract state is not visible, like the private part of the package defining the abstract state, or one of its child packages. The special rules in SPARK RM 7.2.4 for this so-called optional refinement are now supported in GNAT and GNATprove.

  • SPARK Pro
    Jun 6th, 2016

    Global variables known to be initialized in loops
    GNATprove now knows that in out global variables and parameters that are modified in loops are always initialized and thus are in their types. In particular, variables are in their range for scalars and their dynamic predicate is true if they have one.

  • SPARK Pro
    Jun 3rd, 2016

    Suppressed wrong warning message for X’Address
    SPARK does not look at X in X'Address as a used variable anymore and therefore it does not emit a warning message in case X is not initialised.

  • SPARK Pro
    May 23rd, 2016

    SPARK lemma library for nonlinear int arithmetic
    SPARK now comes with a library of lemmas separately proved in Coq, that can be called in user code to automatically prove nonlinear integer arithmetic properties, i.e. properties involving multiplication, division, modulo. The lemmas are ghost procedures, hence they are removed from the final executable when compiling without assertions. This library of lemmas is meant to be extended based on user needs. It is documented in the SPARK User's Guide, in section 4.10 about SPARK Libraries.

  • SPARK Pro
    May 16th, 2016

    Do not re-use files from previous versions of SPARK
    Intermediate files in the gnatprove directory from previous versions of the tools could mislead later versions of the tools, sometimes resulting in confusing crashes or confusing error messages. We now detect any such version mismatch and issue a prompt to clean up.

  • SPARK Pro
    May 12th, 2016

    Support for pragma Unused/Unreferenced/Unmodified
    SPARK now has support for pragma Unused, Unreferenced and Unmodified. We silence warnings (but not checks) about variables that have been mentioned in one of these pragmas; they can be used as an alternative to pragma Warnings Off.

  • SPARK Pro
    Apr 17th, 2016

    More flexible elaboration rules with static model
    GNATprove now implements a more flexible enforcement of SPARK elaboration rules, that does not always requires Elaborate_All for calls and reads of subprograms and variables defined in other units during elaboration. Specifically, when the static elaboration model of GNAT is used (i.e. when neither switch -gnatE nor pragma Elaboration_Checks (Dynamic) are used), the more powerful mechanism of the compiler is used to compute a safe elaboration order for calls across units during elaboration, and GNATprove only requires the use of Elaborate_Body on units that modify the value of library-level variables defined in the spec during the elaboration of the unit body (SPARK RM rule 7.7.1(5)).

  • SPARK Pro
    Apr 7th, 2016

    More options for reporting of results
    The --report switch of the gnatprove tool now provides one more option to select from. If the option --report=provers is selected, gnatprove will show information about which provers have contributed to the proof of each check.

  • SPARK Pro
    Mar 31st, 2016

    Deterministic proof by default with no timeout
    GNATprove is now deterministic by default, so it does not use timeouts unless explicitly instructed by the user to do so. Instead, a steps limit is used to bound the effort made by automatic provers to find a proof. This new design is based on a few changes: the proof level (switch --level) is 0 by default, proof level sets a value of steps but no value of timeout, switch --timeout takes a new value "auto", in addition to a possible time in seconds. The semantics of --timeout=auto is that it adjusts to the value of the proof level.

  • SPARK Pro
    Mar 31st, 2016

    Always generate axiom for expression function
    Previously, no axiom was generated for an expression function in a part of code with no explicit SPARK_Mode, which prevented proofs of client code that relied on the implicit postcondition of the expression function. Now, an axiom is generated in such a case.

  • SPARK Pro
    Mar 22nd, 2016

    Use stable names for aggregates used in definitions
    Aggregates used as initialization expressions in the declaration of objects now get transformed in Why3 into modules and functions with a stable name across versions in GNATprove, based on the name of the object they define. This eases maintenance of manual proofs done in interactive provers.

  • SPARK Pro
    Mar 21st, 2016

    Reproducible generation of VCs
    Previously, proof oblications (or VCs) generated by SPARK could be slightly different from one run of SPARK tools to the other. Now, if the source files have not changed, exactly the same VCs will be generated. This is useful if external tools are used to track or cache such VCs.

  • SPARK Pro
    Mar 15th, 2016

    Allow to disable steps limit
    The --level switch of GNATprove sets a steps limit, and it was previously impossible to disable this steps limit without removing the --level switch entirely. Now one can add the switch --steps=0 to the GNATprove command line invocation to keep all the settings of the --level switch and only disable the steps limit.

  • SPARK Pro
    Mar 15th, 2016

    Specific attributes as valid volatile context
    A reference to a volatile object with enabled properties Async_Writers or Effective_Reads can now safely appear as the prefix of attributes Address, Alignment, Component_Size, First_Bit, Last_Bit, Position, Size, Storage_Size.

  • SPARK Pro
    Dec 23rd, 2015

    Fine-grain analysis of generic code in GPS
    It is now possible to use the submenus "Examine Subprogram", "Prove Subprogram", "Prove Line" and "Prove Check" (from the contextual menu in GPS) from within a generic unit, which has the effect of applying the desired analysis on all instances of the generic unit. The same effect can be obtained on the command-line by using switch -U in addition to the required switches --limit- subp and --limit-line, although the main benefit is expected to be for interactive use in GPS.

  • SPARK Pro
    Dec 15th, 2015

    Better support for use of Why3 IDE
    For advanced users and mainly in connection with manual proof using interactive proof assitansts such as Coq and Isabelle, it can be useful to use the Why3 IDE (not provided by AdaCore) to inspect and modify the session file. This use case is now better supported, mainly it is easier to see what SPARK check a VC corresponds to.

  • SPARK Pro
    Dec 9th, 2015

    Generics’ formals can now appear on contracts
    The SPARK toolset now allows user provided contracts that are placed on generics to refer to the generics' formals.

  • SPARK Pro
    Nov 20th, 2015

    Better support for ‘Update of arrays
    The SPARK toolset now has a better understanding of the 'Update attribute related to array updates. In particular previously SPARK did not know that the attribute could not change the bounds of the underlying array. SPARK now uses this information and this leads to more proofs related to array bounds, array length and array equality, when the 'Update attribute is involved.

  • SPARK Pro
    Nov 20th, 2015

    Continue compilation/analysis on division by zero
    When SPARK_Mode is On, GNAT and GNATprove implement stricter rules than those mandated by Ada RM, by issuing errors on compile-time known constraint errors instead of warnings and unproved check messages. This was the case for divisions by zero which appear legitimately in deactivated code. Such divisions by zero do no stop compilation and analysis anymore, instead a check is generated by GNATprove during proof.

  • SPARK Pro
    Nov 19th, 2015

    SPARK uses transformations in Why3 session file
    If the Why3 session of SPARK is modified using other tools (e.g. the why3ide tool), and extra transformations are inserted into the session tree, then SPARK will now use this information and "follow" these transformations. This allows a better use of external tools such as why3ide in combination with SPARK, for example to apply transformations that help automatic proof, or for manual proof.

  • SPARK Pro
    Nov 18th, 2015

    Global refinement of In_Out abstract state
    An abstract state classified as In_Out in a Global annotation can now be refined by the following combinations of constituents: 1) At least one constituent must be of mode In_Out, 2) At least one constituent must be of mode Output and at least one constituent must be of mode Input or Proof_In.

  • SPARK Pro
    Nov 12th, 2015

    Generic formals as initialization items
    Generic formal parameters can now appear in the input_list of an initialization_item within aspect or pragma Initializes.

  • SPARK Pro
    Nov 10th, 2015

    Display correct counterexample values in loops
    If there is both counterexample value for a variable in the first iteration of a loop and a counterexample value for the same variable after the first iteration, only the former one was displayed by GNATprove. However, in this case, the counterexample value after the first iteration is relevant and thus GNATprove now displays this value in the counterexample.

  • SPARK Pro
    Nov 10th, 2015

    Better provability of conversion between floats
    It is now easier to prove that conversions between floating-point types preserve the value converted, when both the source and the target types are single (resp. double) precision floating-point types.

  • SPARK Pro
    Nov 9th, 2015

    External abstract state refinement
    The refinement of an external abstract state can now mention non- external constituents.

  • SPARK Pro
    Nov 6th, 2015

    Display array bounds in counterexamples
    GNATprove now displays values of attributes 'First and 'Last for values of array types in counterexamples.

   1  2  3     Next »