Learn More
Personal use of this material is permitted. However , permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. This material is presented to(More)
This paper describes work in progress at the University of York on worst-case timing analysis of software for hard real-time and safety-critical systems. We are pursuing a programming environment that combines the technologies of program proof and timing analysis. In short, the analytical power afforded by a classical program proof tool is ideal for the(More)
ÐThis paper describes the use of formal development methods on an industrial safety-critical application. The Z notation was used for documenting the system specification and part of the design, and the SPARK 1 subset of Ada was used for coding. However, perhaps the most distinctive nature of the project lies in the amount of proof that was carried out:(More)
Existing security models require that information of a given security level be prevented from ``leaking'' into lower-security information. High-security applications must be demonstrably free of such leaks, but such demonstration may require substantial manual analysis. Other authors have argued that the natural way to enforce these models automatically is(More)
This paper considers a number of large, real-world projects that are using SPARK---an annotated sublauguage of Ada that is appropriate for the development of high-integrity systems. Three projects are considered in some detail where SPARK has made a contribution to meeting the most stringent software engineering standards. The projects are the(More)
This paper describes a method for analysing the timing properties of exception handling in Ada. The paper first describes how exceptions are implemented and considers the use of exceptions in the SPARK, Safe/Ada and ANNA subsets. A static analysis technique for reasoning about exception propagation is then presented. We argue that this technique, along with(More)