\chapter{Introduction} \label{sec:intro} This document describes a link between Isabelle/HOL and the \SPARK{}/Ada tool suite for the verification of high-integrity software. Using this link, verification problems can be tackled that are beyond reach of the proof tools currently available for \SPARK{}. A number of examples can be found in the directory \texttt{HOL/SPARK/Examples} in the Isabelle distribution. An open-source version of the \SPARK{} tool suite is available free of charge from \hbox{\href{http://libre.adacore.com}{libre.adacore.com}}. In the remainder of \secref{sec:intro}, we give an introduction to \SPARK{} and the HOL-\SPARK{} link. The verification of an example program is described in \secref{sec:example-verification}. In \secref{sec:vc-principles}, we explain the principles underlying the generation of verification conditions for \SPARK{} programs. Finally, \secref{sec:spark-reference} describes the commands provided by the HOL-\SPARK{} link, as well as the encoding of \SPARK{} types in HOL. \section{\SPARK{}} \SPARK{} \cite{Barnes} is a subset of the Ada language that has been designed to allow verification of high-integrity software. It is missing certain features of Ada that can make programs difficult to verify, such as \emph{access types}, \emph{dynamic data structures}, and \emph{recursion}. \SPARK{} allows to prove absence of \emph{runtime exceptions}, as well as \emph{partial correctness} using pre- and postconditions. Loops can be annotated with \emph{invariants}, and each procedure must have a \emph{dataflow annotation}, specifying the dependencies of the output parameters on the input parameters of the procedure. Since \SPARK{} annotations are just written as comments, \SPARK{} programs can be compiled by an ordinary Ada compiler such as GNAT. \SPARK{} comes with a number of tools, notably the \emph{Examiner} that, given a \SPARK{} program as an input, performs a \emph{dataflow analysis} and generates \emph{verification conditions} (VCs) that must be proved in order for the program to be exception-free and partially correct. The VCs generated by the Examiner are formulae expressed in a language called FDL, which is first-order logic extended with arithmetic operators, arrays, records, and enumeration types. For example, the FDL expression \begin{alltt} for_all(i: integer, ((i >= min) and (i <= max)) -> (element(a, [i]) = 0)) \end{alltt} states that all elements of the array \texttt{a} with indices greater or equal to \texttt{min} and smaller or equal to \texttt{max} are $0$. VCs are processed by another \SPARK{} tool called the \emph{Simplifier} that either completely solves VCs or transforms them into simpler, equivalent conditions. The latter VCs can then be processed using another tool called the \emph{Proof Checker}. While the Simplifier tries to prove VCs in a completely automatic way, the Proof Checker requires user interaction, which enables it to prove formulae that are beyond the scope of the Simplifier. The steps that are required to manually prove a VC are recorded in a log file by the Proof Checker. Finally, this log file, together with the output of the other \SPARK{} tools mentioned above, is read by a tool called POGS (\textbf{P}roof \textbf{O}bli\textbf{G}ation \textbf{S}ummariser) that produces a table mentioning for each VC the method by which it has been proved. In order to overcome the limitations of FDL and to express complex specifications, \SPARK{} allows the user to declare so-called \emph{proof functions}. The desired properties of such functions are described by postulating a set of rules that can be used by the Simplifier and Proof Checker \cite[\S 11.7]{Barnes}. An obvious drawback of this approach is that incorrect rules can easily introduce inconsistencies. \section{HOL-\SPARK{}} The HOL-\SPARK{} verification environment, which is built on top of Isabelle's object logic HOL, is intended as an alternative to the \SPARK{} Proof Checker, and improves on it in a number of ways. HOL-\SPARK{} allows Isabelle to directly parse files generated by the Examiner and Simplifier, and provides a special proof command to conduct proofs of VCs, which can make use of the full power of Isabelle's rich collection of proof methods. Proofs can be conducted using Isabelle's graphical user interface, which makes it easy to navigate through larger proof scripts. Moreover, proof functions can be introduced in a \emph{definitional} way, for example by using Isabelle's package for recursive functions, rather than by just stating their properties as axioms, which avoids introducing inconsistencies. \begin{figure} \begin{center} \begin{tikzpicture} \tikzstyle{box}=[draw, drop shadow, fill=white, text width=3.5cm, text centered] \tikzstyle{rbox}=[draw, drop shadow, fill=white, rounded corners, minimum height=1cm] \node[box] (src) at (5,0) {Source files (\texttt{*.ads, *.adb})}; \node[rbox] (exa) at (5,-2) {Examiner}; \node[box] (fdl) at (0.5,-4) {FDL declarations \\ (\texttt{*.fdl})}; \node[box] (vcs) at (5,-4) {VCs \\ (\texttt{*.vcg})}; \node[box] (rls) at (9.5,-4) {Rules \\ (\texttt{*.rls})}; \node[rbox] (simp) at (5,-6) {Simplifier}; \node[box] (siv) at (5,-8) {Simplified VCs \\ (\texttt{*.siv})}; \node[rbox] (isa) at (5,-10) {HOL-\SPARK{}}; \node[box] (thy) at (9.5,-10) {Theory files \\ (\texttt{*.thy})}; \node[box] (prv) at (5,-12) {Proof review files \\ (\texttt{*.prv})}; \node[rbox] (pogs) at (5,-14) {POGS}; \node[box] (sum) at (5,-16) {Summary file \\ (\texttt{*.sum})}; \draw[-latex] (src) -- (exa); \draw[-latex] (exa) -- (fdl); \draw[-latex] (exa) -- (vcs); \draw[-latex] (exa) -- (rls); \draw[-latex] (fdl) -- (simp); \draw[-latex] (vcs) -- (simp); \draw[-latex] (rls) -- (simp); \draw[-latex] (simp) -- (siv); \draw[-latex] (fdl) .. controls (0.5,-8) .. (isa); \draw[-latex] (siv) -- (isa); \draw[-latex] (rls) .. controls (9.5,-8) .. (isa); \draw[-latex] (thy) -- (isa); \draw[-latex] (isa) -- (prv); \draw[-latex] (vcs) .. controls (-1,-6) and (-1,-13) .. (pogs); \draw[-latex] (siv) .. controls (1,-9) and (1,-12) .. (pogs); \draw[-latex] (prv) -- (pogs); \draw[-latex] (pogs) -- (sum); \end{tikzpicture} \end{center} \caption{\SPARK{} program verification tool chain} \label{fig:spark-toolchain} \end{figure} Figure \ref{fig:spark-toolchain} shows the integration of HOL-\SPARK{} into the tool chain for the verification of \SPARK{} programs. HOL-\SPARK{} processes declarations (\texttt{*.fdl}) and rules (\texttt{*.rls}) produced by the Examiner, as well as simplified VCs (\texttt{*.siv}) produced by the \SPARK{} Simplifier. Alternatively, the original unsimplified VCs (\texttt{*.vcg}) produced by the Examiner can be used as well. Processing of the \SPARK{} files is triggered by an Isabelle theory file (\texttt{*.thy}), which also contains the proofs for the VCs contained in the \texttt{*.siv} or \texttt{*.vcg} files. Once that all verification conditions have been successfully proved, Isabelle generates a proof review file (\texttt{*.prv}) notifying the POGS tool of the VCs that have been discharged.