#1 formal methods – introduction for software engineering
TRANSCRIPT
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
1
Prepared by: Sharif Omar Salem – [email protected]
Formal Methods – Introduction in Formal Methods for Software
Engineering
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
2
Scientists QuotesProblems in software developmentFormal LogicFormal MethodsWhy to use FM techniques
Case studiesSpecificationVerificationOverview of programming paradigmsFormal Methods Tools and Notations
This lecture content
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
3
Teaching to unsuspecting youngsters
the effective use of formal
methods is one of the joys
of life because it is so extremely
rewarding
(Edgser Dijkstra)
Scientists Quotes..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
4
A more mathematical approach is inevitable.
Professional software development—not the everyday
brand practiced by the public at large—will become
more like a true engineering discipline, applying
mathematical techniques.
I don't know how long this evolution will take, but it will
happen. The basic theory is there, but much work
remains to make it widely applicable.
(Bertrand Meyer, a pioneer of object technology)
..Scientists Quotes..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
5
..Scientists Quotes
Software engineers want to be real engineers. Real engineers use mathematics.
Formal methods are the mathematics of software engineering. Therefore, software engineers should use formal methods.
(Mike Holloway, NASA)
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
6
How to ensure that S is not ambiguous so that it can be correctly understood by all the people involved?
How can S be effectively used for inspecting and testing P? How can software tools effectively support the analysis of S,
transformation from S to P, and verification of P against S?
Problems in software development..
S P Construct
Specification
Program
What to do How to do it
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
7
Testing
Requirements analysis
Design
Coding
Formal Specification
Validation
Verification
Verification
..Problems in software development..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
8
Simulation Testing Verificati
onRun-time monitorin
g
Analysis techniques
..Problems in software development..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
9
Simulation Means constructing a model of an existing system to be studied or
a system to be built and then executing actions allowed in this model.
The model can be:a physical entity (e.g., scale clay model) ora computer representation.
Testing Is a technique for detecting errors or problems in implemented
software, hardware, or non-computer systems.It consists of executing or operating the system to be tested using a
finite set of inputs and then checking to see if the corresponding outputs or behavior are correct with respect to the specifications.
..Problems in software development..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
10
VerificationIs the procedure of confirming that software meets its requirement.
In other words it means checking the software with admiration to the specification.
Real time monitoringApply your final software in a real world input data.
( like beta release software)
Problems in software development..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
11
• Multiple definitionsFoundation for organized and careful method of thinking that
characterizes reasoned activity.
The study of reasoning : specifically concerned with whether
something is correct or false.
Formal logic focuses on the relationship between statements as
opposed to the content of any particular statement.
Formal Logic..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
12
Either it’s the fuel filter or it’s the fuel pump.It’s not the fuel filter. It’s the fuel pump.
Example 1: Imagine you’re a mechanic and you know that either the fuel filter is clogged or the fuel pump is defective. But you just replaced the fuel filter. So you know the problem must be with the fuel pump.
.. Formal Logic
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
13
Formal Methods..
Major goal of software engineersDevelop reliable systems………..how?
Formal MethodsMathematical languages, techniques and
toolsUsed to specify and verify systemsGoal: Help engineers construct more
reliable systemsA mean to examine the entire state space
of a design (whether hardware or software)Establish a correctness or safety property
that is true for all possible inputs
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
14
Formal methods are mathematical techniques for developing computer-based software and hardware systems.
In computer science and software engineering, formal methods are a particular kind of mathematically-based techniques for the specification, development and verification of software and hardware systems.
..Formal Methods..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
15
What is formal methods?
Formal methods = Formal Specification (Formal Notation) + Refinement + Formal Verification (Logical Calculus)
Set theory, logics, algebra, etc.
..Formal Methods..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
16
..Formal Methods..
Past years of the formal methodsObscure notationNon-scalable techniquesInadequate tool supportHard to use toolsVery few case studiesNot convincing for practitioners
NowadaysTrying to find more rigorous notationsModel checking and theorem proving
complement simulation in Hardware industry
More industrial sized case studiesResearchers try to gaining benefits of
using formal methods…
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
17
..Formal Methods
Formal methods can be applied at various points through the development processSpecificationVerification
Specification: Give a description of the system to be developed, and its properties
Verification: Prove or disprove the correctness of a system with respect to the formal specification or property
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
18
The use of formal methods can contribute to the reliability and robustness of a design.
However, the high cost of using formal methods means that they are usually only used in the development of high-integrity systems, where safety or security is of utmost importance.Transport, communications, health and energy are all representative
examples of critical system where errors is not permitted.
A classic approach to ensuring the adequacy of a software system is testing or simulation.But most of commercial system have a bug report with every release.To mention some data, in 2002 the North-American Institute for Standards
and Technologies estimated the cost of bugs in the American economy to ascend to 59 billion dollars.
Why to use FM techniques ? ..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
19
In 1994 an error was discovered in the implementation of division operations by Pentium processors. Even though millions of processors had by then been sold, Intel was forced to exchange (free of charge) all the units produced .
Beyond the financial impact, the media emphasized the loss of confidence shown by Intel users (i.e. the computer manufacturing industry) that had a much broader and dramatic effect to the company.
.. Why to use FM techniques ? Examples of Faulty system ..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
20
It is very important to note that formal verification does not obviate the need for testing and other assertion techniques.
Formal verification cannot fix bad assumptions in the design, but it can help identify errors in reasoning which would otherwise be left unverified.
In several cases, engineers have reported finding flaws in systems once they reviewed their designs formally .
So, Formal Verification if used, it will be used as an additional tools for assertions and not as a replacement tool.
.. Why to use FM techniques ?
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
21
Case Studies: CICS..
The CICS projectCICS: Customer Information Control
SystemThe on-line transaction processing system
of choice for large IBM installationsIn the 1980s Oxford Univ. and IBM
Hursley Labs formalized parts of CICS with Z
There was an overall improvement in the quality of the product
It is estimated that it reduced 9% of the total development cost
This work won the Queen’s Award for TechnologicalThe highest honor that can be bestowed on
a UK company.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
22
..Case Studies: Intel’s Successes..
Intel uses formal verification quite extensivelyVerification of Intel Pentium 4 floating-
point unit with a mixture of STE and theorem proving
Verification of bus protocols using pure temporal logic model checking
Verification of microcode and software for many Intel Itanium floating-point operations, using pure theorem proving
FV found many high-quality bugs in P4 and verified “20%” of design
FV is now standard practice in the floating-point domain
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
23
..Case Studies: NASA SATS..
Small Aircraft Transportation System (SATS)
Use of a software system that will sequence aircraft into the SATS airspace in the absence of an airport controller
There are serious safety issues associated with these software systems and their underlying key algorithms
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
24
Case Studies: NASA SATS..
The criticality of such software systems necessitates that strong guarantees of the safety be developed for them
Under the SATS program NASA Langley researchers are currently investigating rigorous verification of these software system using formal methodsModeling and Verification of Air TrafficConflict Detection and Alerting…
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
25
Specification..
Using a language with a mathematically defined syntax and semantics
System propertiesFunctional behaviorTiming behaviorPerformance characteristicsInternal structure
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
26
..Specification..
Specification has been most successful for behavioral properties
A trend is to integrate different specification languagesEach enable to handle a different aspect of
a system
Some other non-behavioral aspects of a systemPerformanceReal-time constraintsSecurity policiesArchitectural design
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
27
..Specification..
Formal methods for specification of the sequential systemsZ (Spivey 1988)Constructive Z (Mirian 1997)VDM (Jones 1986)Larch (Guttag & Horning 1993)
States are described in rich math structures (set, relation, function)
Transition are described in terms of pre- and post- conditions
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
28
..Specification
Formal methods for specification of the concurrent systemsCSP (Hoare 1985)CCS (Milner 1980)Statecharts (Harel 1987)Temporal Logic (Pnueli 1981)I/O Automata (Lynch and Tuttle 1987)
States range over simple domains, like integers
Behavior is defined in terms of sequences, trees, partial orders of events
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
29
Verification
Two well established approaches to verificationModel CheckingTheorem Proving
Model checkingBuild a finite model of system and perform
an exhaustive searchTheorem Proving
Mechanization of a logical proof
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
30
Theorem Proving
Both the system and its desired properties are expressed in some mathematical logic
Theorem proving is the process of finding a proof from the axioms of the system
It can be roughly classifiedHighly automated programsInteractive systems with special purpose
capabilitiesIn contrast to model checking, it can
deal with infinite spaceRelies on techniques like reduction.
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
31
Transition System(Automaton, Kripke structure)
System Description(VERILOG, VHDL, SMV)
Informal Specification
Temporal Logic Formula(CTL, LTL, etc.)
compilation
manualalgorithmicverification
Model Checking..
Build a mathematical graphical model of the system:what are possible behaviors?
Write correctness requirement in a specification language: what are desirable behaviors?
Analysis: (Automatically) check that model satisfies specificationAnalysis is performed by an algorithm (tool)Analysis gives counterexamples for debugging
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
32
Model checking is completely automaticIt produces counter examples
The counter example usually represents subtle error in designThe main disadvantage : state explosion problem!
..Model Checking
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
33
Imperative programmingis a programming paradigm that describes computation in terms of
statements that change a program state. Imperative programs define sequences of commands for the computer
to perform. It define how to achieve the system goals.
The focus is on How (what steps) the computer should take rather than what the computer will do
(ex. C, C++, Java).Object Oriented Languages counted as advanced leases from the
original languages.
Overview of programming paradigms..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
34
Declarative programming is a programming paradigm that expresses the logic of a computation
without describing its control flow. It attempts to minimize or eliminate side effects by describing what the
program should accomplish, rather than describing how to go about accomplishing it.
The focus is on what the computer should do rather than how it should do it
(ex. SQL, ProLog, Z notation).
..Overview of programming paradigms..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
35
Functional programming is a programming paradigm that treats computation as the evaluation
of mathematical functions and avoids state and mutable data.It emphasizes the application of functions. Functional programming has its roots in the lambda calculus.
It is a subset of declarative languages that has heavy focus on recursion.
(ex. Lisp, Schema, Haskell).
..Overview of programming paradigms
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
36
The following is a sample of some tools and notations using Formal
Methods techniques . Keep in mind that there is many other tools.
Z Notation: the formal specification notation Z (pronounced "zed"),
useful for describing computer-based systems, is based on Zermelo-
Fraenkel set theory and first order predicate logic.
Alloy Analyzer: an object modeling notation that is compatible with
development approaches such as UML, and Catalysis, strongly
influenced by the Z specification language.
Formal Methods Tools and Notations..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
37
VCC: Microsoft Research - VCC is a mechanical verifier for concurrent C
programs. VCC takes a C program, annotated with function specifications,
data invariants, loop invariants, and ghost code, and tries to prove these
annotations correct. If it succeeds, VCC promises that your program
actually meets its specifications.
JML (Java Modeling Language): a behavioral interface specification
language for Java.
ESC/Java2 Extended Static Checker for Java tool, using program
verification technology. It attempts to find common run-time errors in JML-
annotated Java programs by static analysis of the program code and its
formal annotations
..Formal Methods Tools and Notations..
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
38
You can find more information and a list of tools in the following link
http://formalmethods.wikia.com/wiki/Formal_methods#Individual_notations.2C_methods_and_tools
..Formal Methods Tools and Notations
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
39
Scientists QuotesProblems in software developmentFormal LogicFormal MethodsWhy to use FM techniques
Case studiesSpecificationVerificationOverview of programming paradigmsFormal Methods Tools and Notations
Conclusion
Prep
ared
by:
Sha
rif
Om
ar S
alem
– s
sale
mg@
gmai
l.com
40
Prepared by: Sharif Omar Salem – [email protected]
End of Lecture