ada europe 2001 1 logic vs. magic peter amey why wizards are not enough or :
DESCRIPTION
Ada Europe A Historical Magic Go to statement considered harmful Structured programming “De-spag” toolsTRANSCRIPT
![Page 1: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/1.jpg)
Ada Europe 2001 1
Logic vs. Magic
Peter Amey
why wizards are not enoughor:
![Page 2: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/2.jpg)
Ada Europe 2001 2
Agenda
• Introduction: a historical magic
• The software process
• What are “Critical Systems”?
• The need to “reason”
• Engineering revisited
• Non-technical Issues
• Advantages of logic — project experience
• Summary
www.sparkada.com
![Page 3: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/3.jpg)
Ada Europe 2001 3
A Historical Magic
• Go to statement considered harmful
• Structured programming
• “De-spag” tools
![Page 4: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/4.jpg)
Ada Europe 2001 4
Add up the first N (positive) values of the array
A Specification
traverse the array until N positive values have been found and sum them
traverse N elements of the array and sum any positive ones (ignoring any negative ones) ?
or
![Page 5: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/5.jpg)
Ada Europe 2001 5
function Sum(A : Atype; Count : Aindex) return Integer is Accumulator, Value : Integer; Index : Aindex;
begin Accumulator := 0; Index := 1; <<Label1>> Value := A(Index); if Value <= 0 then goto Label2; end if; Accumulator := Accumulator + Value;
<<Label2>> if Index = Count then goto Label3; end if; Index := Index + 1; goto Label1;
<<Label3>> return Accumulator; end Sum;
![Page 6: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/6.jpg)
Ada Europe 2001 6
function Sum(A : Atype; Count : Aindex) return Integeris IC : Counter; Accumulator, Value : Integer; Index : Aindex;begin IC := 1; Accumulator := 0; Index := 1; while IC < 6 loop case IC is when 1 => Value := A(Index); IC := 2; when 2 => if Value <= 0 then IC := 4; else IC := 3; end if; when 3 => Accumulator := Accumulator + Value; IC := 4; when 4 => if Index = Count then IC := 6; else IC := 5; end if; when 5 => Index := Index + 1; IC := 1; when 6 => Null; end case; end loop; return Accumulator;end Sum;
![Page 7: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/7.jpg)
Ada Europe 2001 7
Engineering:
The use of science and mathematics to solve practical problems
![Page 8: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/8.jpg)
Ada Europe 2001 8
the software process
![Page 9: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/9.jpg)
Ada Europe 2001 9
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 10: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/10.jpg)
Ada Europe 2001 10
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 11: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/11.jpg)
Ada Europe 2001 11
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 12: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/12.jpg)
Ada Europe 2001 12
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 13: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/13.jpg)
Ada Europe 2001 13
Add up the first N (positive) values of the array
NZseq:nonNegSum
ssxsx
sxsxsx
nonNegSum
nonNegSumnonNegSumseq:;\:
nonNegSumnonNegSumseq:;:
0
^
^
ZNZZN
snnsns
)..1nonNegSum(sum:;seq:
seq:sum
ZZNZZ
A Specification
![Page 14: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/14.jpg)
Ada Europe 2001 14
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 15: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/15.jpg)
Ada Europe 2001 15
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 16: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/16.jpg)
Ada Europe 2001 16
Language Insecurity
a tiny example
procedure Init2(X, Y : out Integer)isbegin X := 1; Y := 2;end Init2;
What is the meaning of:
Init2(A, A);
![Page 17: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/17.jpg)
Ada Europe 2001 17
The software process
• Progressive refinement:– a need– requirements– specification– design– source code– object code
![Page 18: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/18.jpg)
Ada Europe 2001 18
Formality at last!
10100110100100001000100010010001101010001111010101000010101010101010101010010100101010101000010101010010010101001101010101010101000001010001010100101010010100100101010101010101010101111010010100101010101010100101010101010010110100101010101001010100101000001111111010100101001111110010101001010110000100101010100010101001001010101010100101000000000011110111000000101001000010100101010111100000000011110101010000101111
![Page 19: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/19.jpg)
Ada Europe 2001 19
A typical development process
Informal, opaque black box
Precise object code
![Page 20: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/20.jpg)
Ada Europe 2001 20
what are “critical systems”?
![Page 21: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/21.jpg)
Ada Europe 2001 21
What are critical systems?
• Some important objectives:– efficiency– cost– time to market– functionality
![Page 22: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/22.jpg)
Ada Europe 2001 22
What are critical systems?
• Systems where reliability is more important than:– efficiency– cost– time to market– functionality
Robert Dewar - Ada Core Technologies
![Page 23: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/23.jpg)
Ada Europe 2001 23
Producing Safety-Critical Software
• Not just a question of “being more careful”
• The need to be able to show, before there is any service experience, that a system will be safe enough requires a qualitatively different approach
• We can only achieve this by logical reasoning.
![Page 24: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/24.jpg)
Ada Europe 2001 24
Foundations of Reasoning
• We reason about information• But what about “information hiding”?• We need to hide detail not information• We do this through abstraction• We can’t just magic complexity away
Example: Program “State”
![Page 25: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/25.jpg)
Ada Europe 2001 25
Swap Algorithm
procedure Swap(X, Y : in out T) is
begin
Temp := X;
X := Y;
Y := Temp;
end Swap;
Temp : T;
![Page 26: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/26.jpg)
Ada Europe 2001 26
Swap Algorithm
procedure Swap(X, Y : in out T) is
begin
Temp := X;
X := Y;
Y := Temp;
end Swap;
Temp : T;
![Page 27: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/27.jpg)
Ada Europe 2001 27
A Store Object
package Storeis
procedure Put(X : in T);
function Get return T;
end Store;
![Page 28: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/28.jpg)
Ada Europe 2001 28
Swap Algorithm
procedure Swap(X, Y : in out T) is
begin
Store.Put(X);
X := Y;
Y := Store.Get;
end Swap;
![Page 29: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/29.jpg)
Ada Europe 2001 29
Store
Swap
Heap
![Page 30: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/30.jpg)
Ada Europe 2001 30
Store
Swap ????
![Page 31: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/31.jpg)
Ada Europe 2001 31
• The location of state is the single biggest influence on coupling and cohesion.
• It is probably the most important design decision we must make
yet
• OOP regards it as an “implementation detail”; and
• UML does not even have a notation to express it!
![Page 32: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/32.jpg)
Ada Europe 2001 32
OOP - The Biggest Magic of them All
• We hide all state• We disguise the hierarchical relationships between
objects• We hide the control flow by use of messages and
dynamic dispatch• In extreme cases, we even deny there is a software
design process at all (Shlaer Mellor)
Of course all this hiding makes things easier - at least until all the hidden complexity emerges during integration testing!
![Page 33: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/33.jpg)
Ada Europe 2001 33
An OOP Array Sum
State HandlerTotal Handler
Count Handler
Data Handler
![Page 34: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/34.jpg)
Ada Europe 2001 34
“There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies.”
Professor C.A.R. HoareThe 1980 Turing award lecture
![Page 35: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/35.jpg)
Ada Europe 2001 35
“simplicate and add lightness”
Bill Stout - designer of the Ford Tri-motor
![Page 36: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/36.jpg)
Ada Europe 2001 36
Engineering - a brief diversion
![Page 37: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/37.jpg)
Ada Europe 2001 37
Aerodynamic theory
• Aristotle, Leonardo da Vinci, Newton• Pressure/velocity relation: Bernoulli 1738• Frictionless low-speed flow: Euler 1752• Flow with friction: Navier/Stokes 1840• Scale effects: Reynolds 1883• Wright Brothers, Kittyhawk 1903• Lifting-line theory: Prandtl 1915
![Page 38: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/38.jpg)
Ada Europe 2001 38
Lifting-line Theory and Aerofoils
![Page 39: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/39.jpg)
Ada Europe 2001 39
![Page 40: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/40.jpg)
Ada Europe 2001 40
![Page 41: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/41.jpg)
Ada Europe 2001 41
Engineering:
The use of science and mathematics to solve practical problems
![Page 42: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/42.jpg)
Ada Europe 2001 42
Engineering:
Characterised by the blend of practical experience and the use of theoretical results
![Page 43: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/43.jpg)
Ada Europe 2001 43
![Page 44: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/44.jpg)
Ada Europe 2001 44
![Page 45: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/45.jpg)
Ada Europe 2001 45
![Page 46: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/46.jpg)
Ada Europe 2001 46
Non-technical issues
![Page 47: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/47.jpg)
Ada Europe 2001 47
Important Non-technical Drivers
• Fashion• Low expectations• Poor contract writing• The difficulty of saying “no”• Gurus• Belief that:
– Software engineering is the same as knowing tool or product X
– Knowing tool or product X is more important than domain or engineering knowledge
![Page 48: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/48.jpg)
Ada Europe 2001 48
Low Expectations
• Software is always buggy• Even Microsoft “the best software company in the
world” produces buggy software• Vendors never offer warranties• Since software is always cr*p we might as well buy
the cheapest cr*p
![Page 49: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/49.jpg)
Ada Europe 2001 49
![Page 50: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/50.jpg)
Ada Europe 2001 50
![Page 51: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/51.jpg)
Ada Europe 2001 51
Project Experience
The benefits of logical reasoning
![Page 52: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/52.jpg)
Ada Europe 2001 52
The Need to Reason
• To bring error detection forward we must be able to
reason about source code
• We can’t reason about source code unless it has a
precise meaning
• Too often the meaning of code is defined by its test
results!
![Page 53: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/53.jpg)
Ada Europe 2001 53
“… one could communicate with these machines in any language provided it was an exact language …”
“… the system should resemble normal mathematical procedure closely, but at the same time should be as unambiguous as possible.”
Alan Turing, 1948
![Page 54: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/54.jpg)
Ada Europe 2001 54
What is SPARK?
• A sub-language of Ada with particular properties that make it ideally suited to the most critical of applications:– Completely unambiguous– All rule violations are detectable– Formally defined– Tool supported
• SPARK facilitates Correctness by Construction
![Page 55: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/55.jpg)
Ada Europe 2001 55
A disclaimer
• SPARK is not the world’s only logic
• SPARK is not a superior magic
![Page 56: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/56.jpg)
Ada Europe 2001 56
A Store Object
package Store
is procedure Put(X : in T);
function Get return T; end Store;
![Page 57: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/57.jpg)
Ada Europe 2001 57
A Store Object
package Store--# own State;is procedure Put(X : in T); --# global out State;
function Get return T; --# global State;end Store;
![Page 58: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/58.jpg)
Ada Europe 2001 58
procedure Swap(X, Y : in out T) --# global out Store.State;isbegin Store.Put(X); X := Y; Y := Store.Get;end Swap;
![Page 59: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/59.jpg)
Ada Europe 2001 59
Lockheed C130J
![Page 60: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/60.jpg)
Ada Europe 2001 60
Lockheed on SPARK• Some errors immediately uncovered by formal analysis, such as conditional
initialization errors may only emerge after very extensive testing.• The technology for generating and discharging the proof obligations, based on the
SPARK components of Ada, was crucial, in binding the code to the initial requirements.• SPARK provides an extremely robust and efficient basis for formal verification.• The process has proven effective with typical software developers and did not
necessitate and inordinate amount of additional training.• Experience has shown that SPARK coding occurs at near typical Ada rates.• Code written in SPARK is deterministic and inherently statically analysable.• Very few errors have been found in the software during even the most rigorous levels of
FAA testing, which is being successfully conducted for less than a fifth of the normal cost in industry.
• Correctness by construction is no longer a theoretical abstraction; it is now a practical way to develop software that exceeds its technical goals while delivering sterling business performance.
![Page 61: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/61.jpg)
Ada Europe 2001 61
Lockheed on SPARK• Some errors immediately uncovered by formal analysis, such as conditional
initialization errors may only emerge after very extensive testing.• The technology for generating and discharging the proof obligations, based on the
SPARK components of Ada, was crucial, in binding the code to the initial requirements.• SPARK provides an extremely robust and efficient basis for formal verification.• The process has proven effective with typical software developers and did not
necessitate and inordinate amount of additional training.• Experience has shown that SPARK coding occurs at near typical Ada rates.• Code written in SPARK is deterministic and inherently statically analysable.• Very few errors have been found in the software during even the most rigorous levels of
FAA testing, which is being successfully conducted for less than a fifth of the normal cost in industry.
• Correctness by construction is no longer a theoretical abstraction; it is now a practical way to develop software that exceeds its technical goals while delivering sterling business performance.
Very few errors have been found in the software during even the most rigorous levels of FAA testing, which is being successfully conducted for less than a fifth of the normal cost in industry.
![Page 62: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/62.jpg)
Ada Europe 2001 62
Aerosystems’ IV&V Conclusions
• Significant, safety-critical errors were found by static analysis in code developed to DO-178B Level A
• Proof of SPARK code was shown to be cheaper than other forms of semantic analysis performed
• SPARK code was found to have only 10% of the residual errors of full Ada and Ada was found to have only 10% of the residual errors of C
• No statistically significant difference in residual error rate could be found between DO-178B Level A and Level B code
![Page 63: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/63.jpg)
Ada Europe 2001 63
Summary
![Page 64: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/64.jpg)
Ada Europe 2001 64
“Any sufficiently advanced technology is indistinguishable from magic."
Arthur C. Clarke, 1962
But this doesn’t mean that all magical illusions are underpinned by advanced technology!
![Page 65: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/65.jpg)
Ada Europe 2001 65
Logic vs Magic
• Magic is attractive because life would be so much easier if it worked!
• Magic is transient, fashion driven and ultimately futile• Software engineering is hard because we are trying
to solve hard problems• The engineering response to solving hard problems is
to use clever people and good mathematics• Being the best screwdriver user in the world might
make you a mechanic but not an engineer!
![Page 66: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/66.jpg)
Ada Europe 2001 66
Why I use Ada
“The superior pilot uses his superior judgement to avoid those situations that would otherwise require his superior skill”
![Page 67: Ada Europe 2001 1 Logic vs. Magic Peter Amey why wizards are not enough or :](https://reader034.vdocuments.net/reader034/viewer/2022051200/5a4d1b507f8b9ab0599a7598/html5/thumbnails/67.jpg)
Ada Europe 2001 67
and finally
“Real life problems are those that remain after you have systematically failed to apply all the known solutions”
Edsger Dijkstra, 1973