Modular verification of Ada library units

Abstract

Modular verification of Ada library units enables programmers to write and verify small program units and to compose them with minimal additional effort into larger correct programs. Penelope is a prototype verification environment for Ada that supports separate verification of program units and their composition. The authors have extended Penelope to enable verification of larger Ada programs, consisting of multiple compilation units. They discuss two major issues that arise from the composition of program modules. The first is ensuring that the composition itself is correct, that is, that assumptions made by one module about another indeed hold. The elaboration of Ada packages poses new problems, which are described along with the solution adopted. A novel technique for reducing the amount of annotation required from the user is described. The second issue is maintaining consistency between the various modules without incurring excessive overhead. The way in which a set of modules is kept consistent depends on the structure of the language. The method, called separate verification, is closely modeled on the technique of separate compilation used in Ada. How Ada techniques can be adapted for a verification environment is discussed.<>