Introduction to Penelope by Guaspari, David
INTRODUCTION TO PENELOPE
David Guaspari
Odyssey Research Associates
N96-10030
A formal program verification is a (mathematical) proof that a program executed according to its
intended model meets some specification. This proves that the algorithm defined by the program is
correct in the precise technical sense of being consistent with a particular specification. A program
correct in this sense is free from a large and important class of errors, even though its behavior may
still produce unintended results---either because the implementation of the programming language
itself does not match the model of execution, or because the specification does not correctly express
the user's intentions.
Penelope is a prototype system for interactively developing and verifying programs that are written
in a rich subset of sequential Ada. Penelope can be used to develop a program and its correctness
proof incrementally, and in concert with one another. Incrementality is used in a number of ways to
help make verification more tractable and more productive. For example, if an already-verified pro-
gram is modified, one can attempt to prove the modified version by replaying and modifying the
original verification.
Penelope's specification language, Larch/Ada, belongs to the family of Larch interface languages.
Larch/Ada scales up properly, in the sense that it is demonstrably sound to decompose a system
hierarchically and reason locally about the implementation of each piece.
Penelope has been applied in various demonstration projects---for specification (guidance control,
distributed operating system), verification (of off-the-shelf code), and formal development (by non-
expert as well as expert users). Some features of Penelope have been embodied in AdaWise, a lint-
like non-interactive tool that warns of the potential for certain dynamic semantic errors in Ada pro-
grams.
129
https://ntrs.nasa.gov/search.jsp?R=19960000030 2020-06-16T06:56:02+00:00Z
Q_
i o
"_- _0 0
_ la";0
oN
i < _ ooo
130
0-_ o0 o 0oo o
O0
O=
_E
0 _
o_<_
00000
"0
¢-
0
< -
-.-_ 5 "_ _'_
- =_-_ ,, =o,_
. -_ oo :5:_.__ ._ --
0
o oo _ oooooo _ oo
&
o_
Q
o 0
c -= .o
E _ E
e-
o ::: o -_
c m .- ._ ,..o ___ _ o
._: "_ _
CO 0 0
= = =_ o -_: "o
S o.'5 ._ • -,
_oo _ -_
131
i
0
132
{
el
..4
A _ ¢,0
= __.
._o "6
.N
-_._ "- _'-
-__ =i_
_ oo ._.
8 _ _0 ° _=
<a.
ID ID ID ID o_
.,.= "_ ==
;5"
o.._ _E
.E o
_,._ _o
=.-=
==o=o _o
_ .s_ -_,-
® o_ &_-_
,o "_ o" ,- 0
® =o,_
-r o
ID ID ID
o
¢,-
o "6
_ t,,-
_ _ E --
,-- o "N!
2-
g_ .sa
N _
_ 0 -= 0
13 ID
.|-
!
i
o_
188
_. 119 I_
.2,"
o o
...,_" _, ._ •
_ o
:_ _ oa z 0000 _ 000 _ '_
-- j=
!-
i ,, , .,q
1 _ _.,,
i' \
,'/_ V.I_,_ I',
_,_),,-, , ,, =,
k% II
/I "1- _ -
I ;
t /
x /
\ I
O)
E _-_
"0
@ @
0 _.nn 0
o_ _ _o°-- e- e-
._Or, _o
_oo_ _.-_
i .........
P" "0
_o _ _o_O
=oo_o
ID £3
135
|
t-
O
0
c-
Oo
• E _ =°
gg _
°_
Q_
L
137
Session 6: Hardware Systems
Paul Miner, Chair
• The Formal Verification Technology Used on AAMP5, by Mandayam Srivas, SRI International
• Specification and Verification of VHDL Designs, by Damir Jamsek, Odyssey Research Associates
• Derivational Reasoning System, by Bhaskar Bose, Derivation Systems Inc.
PRECEDING PAGE BLANK NOT F_LMED _
..... "_'_TF,its'"_' ,..', _: .',,'v
139
