Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tooling] meeting notes 23 January 2025 #160

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[tooling] meeting notes 23 January 2025 #160

wants to merge 3 commits into from

Conversation

alexandruradovici
Copy link
Collaborator

This pull request adds the meeting notes for the meeting from 23 January 2025.

I did not write down the list of attendants (my fault), please feel free do add yourself if you were present. Thank you.

scrabsha
scrabsha reviewed Feb 11, 2025
View reviewed changes
subcommittee/tooling/meetings/23-January-2025/minutes.md
Comment on lines +29 to +31
| Underfined Behaviour Absence | ASIL-D? | [verifast](https://github.com/verifast/verifast) - wip, [creusot](https://github.com/creusot-rs/creusot) - wip, works only for safe rust, [gillian-creusot](wip - not in a usable state, works for unsafe rust), [kani](https://model-checking.github.io/kani/) |
| Static Analysis Tools | (ask Oreste Bernardi), DAL-A, DAL-B, DAL-C | probably similar to Polyspace, an assesement about what the rust compiler covers is necessary. For DO-178 such tools support the "source code conformity" objective. |
| Formal Methods | ASIL-D | does this mean more than UB? |
Copy link
Contributor

@scrabsha scrabsha Feb 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I poked around internally.

For line 31, formal methods are more than UB detection. Formal methods is when the properties of the software are rigorously rather than heuristically verified.

Static analysis only means "without execution".

Some formal methods belong to static analysis (static strong typing), some are not (concolic execution).

With that being said, there is no inclusion between Static Analysis tools and Formal Methods. Some static analysis tools work by detecting "suspicious patterns" and do not provide any formal guarantee of the absence of the undesirable property when their patterns are not matched, therefore they cannot be described as “formal methods”, even if some sophisticated implementations of such of these analyzers may borrow tools from formal methods, such as SMT provers.

creusot does not mention undefined behavior at all. It focuses on proving functionnal correctness rather than the absence of UB. It does so by using formal methods, and doesn't run any code.

kani uses model checking and (as I understand it) does not require any execution. It therefore belongs to formal methods and static analysis.

verifast provides deductive verification like creusot while relying on a different approach internally (forward symbolic execution). It is formal methods and a form of static analysis.

I suggest the following edits:

  • Move both creusot and kani to the Static Analysis Tools and the Formal Methods rows
  • Move verifast in the Formal Methods row
  • Delete the Undefined Behavior Absence row

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scrabsha scrabsha scrabsha left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alexandruradovici @scrabsha @af-airbus