march 2007tools for vdm in industry1 peter gorm larsen

March 2007 Tools for VDM in Industry 1

Tools for VDM in Industry

Peter Gorm LarsenPeter Gorm Larsen


Personal Background

• Theoretical Work• VDM-SL Semantics (ISO standard)• VDM-SL Proof Rules (PhD work)

• More Practical Work• VDM and SA in combination• IFAD VDMTools• Transfer VDM to Industry• Intensive use Industrially

• Employed by• For 13 years: IFAD• For 3,5 years: Systematic• For 2 years: Engineering College of Aarhus



IFAD Clients Experiences

• ”Bootstrapping” VDMTools

• Overview of VDMTools

• The Overture/Eclipse Initiative

• Vision for the future


References, World-wide, 2001

FranceFranceAerospatiale Espace et DefenseAerospatiale Espace et DefenseDassault AviationDassault AviationDasssault ElectroniqueDasssault ElectroniqueCISI CEA et DefenseCISI CEA et DefenseCEA LetiCEA LetiCap GeminiCap GeminiLAASLAASMatra Bae DynamicsMatra Bae Dynamics

U.K.U.K.British Aerospace Systems & British Aerospace Systems & EquipmentEquipmentBritish Aerospace DefenseBritish Aerospace DefenseAdelardAdelardICL Enterprise EngineeringICL Enterprise EngineeringRolls RoyceRolls RoyceTransitive TechnologiesTransitive Technologies

ItalyItalyENEAENEAAnsaldoAnsaldo

The NetherlandsThe NetherlandsDutch Dept. of DefenceDutch Dept. of DefenceOriginOriginChessChess

PortugalPortugalSidereusSidereus

DenmarkDenmarkBaan NordicBaan NordicOdense Steel ShipyardOdense Steel ShipyardDDC InternationalDDC International

North AmericaNorth AmericaBoeingBoeingRockwell CollinsRockwell CollinsLockheed MartinLockheed MartinDDC-I, Inc.DDC-I, Inc.Rational Software Corp.Rational Software Corp.Formal Systems Inc.Formal Systems Inc.Concordia UniversityConcordia University

JapanJapanRTRI (Japan Railways)RTRI (Japan Railways)JFITSJFITSFelica NetworksFelica Networks

GermanyGermanyGAO mbHGAO mbH

More than 150 VDMTools clients world-wide


ConForm (1994)• Organisation: British Aerospace (UK)• Domain: Security (gateway)• Tools: The CSK VDM-SL Toolbox

• Experience:

• Prevented propagation of error

• Successful technology transfer

• At least 4 more applications without support

• Statements:

• “Engineers can learn the technique in one week”

• “VDMTools can be integrated gradually into a traditional existing development process”


DustExpert (1995-7)

• Organisation: Adelard (UK)• Domain: Safety (dust explosives)• Tools: The CSK VDM-SL Toolbox • Experience:

• Delivered on time at expected cost

• Large VDM-SL specification

• Testing support valuable

• Statement:

• “Using VDMTools we have achieved a productivity and fault density far better than industry norms for safety related systems”


Adelard Metrics

• 31 faults in Prolog and C++ (< 1/kloc)• Most minor, only 1 safety-related• 1 (small) design error, rest in coding

Initial requirements 450 pages

VDM specification 16kloc (31 modules)12kloc (excl comments)

Prologimplementation

37kloc16kloc (excl comments)

C++ GUIimplementation

23kloc18kloc (excl comments)


CAVA (1998-)

• Organisation: Baan (Denmark)

• Domain: Constraint solver (Sales Configuration)

• Tools: The CSK VDM-SL Toolbox

• Experience:

• Common understanding

• Faster route to prototype

• Earlier testing

• Statement:

• “VDMTools has been used in order to increase quality and reduce development risks on high complexity products”


Dutch DoD (1997-8)

• Organisation: Origin, The Netherlands

• Domain: Military


• Experience:

• Higher level of assurance

• Mastering of complexity

• Delivered at expected cost and on schedule

• No errors detected in code after delivery

• Statement:

• “We chose VDMTools because of high demands on maintainability, adaptability and reliability”


DoD, NL Metrics (1)

• Estimated 12 C++ loc/h with manual coding!

kloc hours loc/hour

spec 15 1196 13

manual impl 4 471 8.5

automatic impl 90 0 NA

test NA 612 NA

total code 94 2279 41.2totAL


DoD - Comparative Metrics

CODING TESTING

CODING TESTINGANALYSIS &

DESIGN

Traditional:Traditional:

VDMToolsVDMTools®®::

CostCost

ANALYSIS & DESIGN

900900 20002000 700700

12001200 500500 600600

0% 64%

100%


BPS 1000 (1997-)• Organisation: GAO, Germany• Domain: Bank note processing• Tools: The CSK VDM-SL Toolbox• Experience:

• Better understanding of sensor data

• Errors identified in other code

• Savings on maintenance

• Statement:

• VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle.


Flower Auction (1998)

• Organisation: Chess, The Netherlands

• Domain: Financial transactions

• Tools: The CSK VDM++ Toolbox

• Experience:

• Successful combination of UML and VDM++

• Use iterative process to gain client commitment

• Implementers did not even have a VDM course

• Statement:

• “The link between VDMTools and Rational Rose is

essential for understanding the UML diagrams”


SPOT 4 (1999)

• Organisation: CS-CI, France

• Domain: Space (payload for SPOT4 satellite)


• Experience:

• 38 % less lines of source code

• 36 % less overall effort

• Use of automatic C++ code generation

• Statement:

The cost of applying Formal methods is significantly lower than without them.


IFAD VDM Applications

• VDMTools• VDM interpreter• VDM static semantics• VDM to C++ code generator• Specification manager• UML mapper• Java static semantics• Java VDM++ translator

• MUSTER: Emergency response training


Japanese Railways (2000-2001)

• Domain: Railways (database and interlocking)

• Experience:

• Prototyping important

• Subsequent also using it for ATC system

• Engineer working at IFAD for two years


Stock-options (2000- )

• Organisation: JFITS, Japan• Domain: Financial• Tools: The CSK VDM++ Toolbox• Ongoing and still expanding


Mass producted chicps (2005- )

• Organisation: Felica Networks (Sony), Japan• Domain: Used inside mobile phones• Tools: The CSK VDM++ Toolbox• Status:

• Over 100000 lines (677 pages) of VDM++

• More than 10 million test cases

• 110000 lines of C++ in firmware

• 56 members (did not know FM in advance)

• Project on schedule (3 years)

• More than 10 million chips shipped in 2006

• Not a single bug discovered so far


Further Information• Applying Formal Specification in Industry. P.G. Larsen, J.

Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996

• A Lightweight Approach to Formal Methods S.Agerholm and P.G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October 1998.

• Applications of VDM in Banknote Processing P. Smith and P.G. Larsen. + Application of VDM-SL to the Development of the SPOT4 Programming Messages Generator, A. Puccetti and J.Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M.Verhoef et. al.

Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September 1999.




”Bootstrapping” VDMTools

• Overview of VDMTools




Development Choices Taken

Executable modelsTesting and animation

Partial “analysis” (validation)System level testing

Code generationVDM for source code

Formal refinement and formal verification


Staff Overview

PGL

PBLMA

ETN

HCHVNKJNJSALTOJWTOSJKPKSPM

91 92 93 94 95 96 97 98 99 00

NPMV KdB CA BF BA

SN JKP

VS JKP

WS

JSF

GWOO

+JR +ML +RM


Development Environment

• GNU C++/Visual C++• Generic VDM C++ library• GUI: Previously:Tcl/Tk, Now: Qt• flex and bison• CVS/Ediff version control• OSs: Windows, Linux, Unix • Test environments• Development procedures


VDM++VDM++VDM++VDM++

VDM++VDM++VDM++VDM++

The “Bootstrapping” Process

VDM-SL

DS spec

VDM-SL

DS impl

VDM-SL

SM spec

VDM-SL

SM impl

VDM-SL

PM spec

VDM-SL

PM impl

VDM-SL

CG spec

VDM-SL

CG impl

VDM-SL

SS spec

VDM-SL

SS impl

Implicit time line


Specification Sizes

Abstract Syntax etc 3020Static Semantics 17686Interpreter 25068Code generators 31524Specification Manager 3693Dependency 792Rose-VDM++ Link 1512Proof Support 28355Java Static Semantics 7026Java 2 VDM++ Translator 7601In total 126277


Component Categories

• Purely hand-coded• VDM + hand coding• VDM + code generation


Purely Hand-coded Components

• Scanner/parser (lex/yacc)• pretty-printer (simple C++ component)• GUI (previously: Tcl/Tk, now: Qt)• Interface to third party tools

• Rational Rose

• Corba for API

• ML for HOL

• Generic VDM C++ library


VDM + Hand Coding

• Dynamic semantics (SL and ++)• Static semantics (SL and ++)• Java/C++ Code generators (SL and ++)• Test environments for each component• Reused at implementation level• Java/C++ code generators now themselves

partially code generated


Maintenance Approach

• Bugs first reproduced at specification level• Tested using the VDM debugger• Check that all tests are satisfactory• Implement changes of specification• Rerun all tests at implementation level


VDM + code generation

• Animator for SA/RT• Specification Manager (SL and ++)• VDM++ to/from UML translation• Proof support (SL)• Parts of GUI now code generated• VDM model becomes source• Trade-off with abstraction


Further Information

• An Executable Subset of Meta-IV with Loose Specification, P.G. Larsen, P.B. Lassen, VDM '91: Formal Software Development Methods, 1991

• The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM Sigplan Notices, September 1994

• Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995

• Ten Years of Historical Development - ”Bootstrapping” VDMTools, P.G. Larsen, Journal of Universal Computer Science, 2001





Overview of VDMTools




VDMTools® Overview

The Rose-VDM++ Link

Document Generator

Code Generators- C++, Java

Syntax & Type Checker

API (Corba), DL Facility

Interpreter (Debugger)

Integrity CheckerJava to VDM++


Japanese Support via Unicode


Validation with VDMTools®

VDM specsVDM specs

Test casesTest cases Expected resultsExpected results

Actual resultsActual results

ComparisonComparison

ExecutionExecution


Documentation in MS Word/RTF

One compound document:One compound document:

• Documentation

• Specification

• Test coverage

• Test coverage

statistics


Architecture of the Rose VDM++ Link

VDM++ ToolboxVDM++ Toolbox Rational Rose 2000Rational Rose 2000

ClassClassRepositoryRepository

ClassClassRepositoryRepositoryMerge ToolMerge Tool

VDM++ FilesVDM++ Files

UMLUMLDiagramsDiagrams

UML modelUML modelfilefile


Integrity checker


Reference Material

• The VDM++ Language for VICE, CSK, 2005• The VDM++ User Manual, CSK, 2005• The VDM++ Installation Guide, CSK, 2005• Rational Rose Link Plug-in Installation and User

Guide, CSK, 2005


Further Information

• An Executable Subset of Meta-IV with Loose Specification, P.G. Larsen, P.B. Lassen, VDM '91: Formal Software Development Methods, 1991

• The IFAD VDM-SL Toolbox: A Practical Approach to Formal Specifications, R. Elmstrøm, P.G. Larsen, P.B. Lassen, ACM Sigplan Notices, September 1994

• Computer-aided Validation of Formal Specifications, P. Mukherjee, Software Engineering Journal, July 1995

• Ten Years of Historical Development - ”Bootstrapping” VDMTools, P.G. Larsen, Journal of Universal Computer Science, 2001






The Overture/Eclipse Initiative


March 2007 Tools for VDM in Industry

Overture versus VDMTools

• VDMTools (http://www.vdmtools.jp/en)

• Closed source, proprietary (available under NDA)• Monolithic architecture (single binary), C++• Optimized for performance, industry strength

• Overture Tool project (http://www.overturetool.org)

• Open source, GPL license• Plug-in architecture, Eclipse, Java• Optimized for flexibility, targets academic use• (partly) developed using VDMTools


Overture – an open-source initiative

• Based on the Eclipse platform• Extendible open VDM++ tool support• Initial tool support produced in MSc project in NL• MSc project carried out at TUD

• Jacob Porsborg Nielsen and Jens Kielsgaard Hansen

• MSc project at Aarhus University• Thomas Christensen

• New MSc projects at Engineering College of Aarhus• Hugo Macedo, Minho University

• Sander Vermolen, University of Nijmegen


Basic automatic checks and GUI

Overture Architecture Overview

Syntax Check

Connection to standard developm

ent environments

UML, SysMLAADL

VisualisationSupport

Code Generators- C++, Java

GUIgenerators

ReverseEngineering

support

Type Check

Refactoringsupport

OML editorWith

syntaxhighlighting

Validation support

PrettyPrinting

Withcoverage

Interpreter (Debugger)

With APIcapabilities

Test Generation

support

VisualizationSupport forExecution

tracesVerification support

ProofObligationgeneration

AutomaticProof

support

InteractiveProof

support

ModelCheckingsupport

EclipseAST

Not yet available PlannedCurrently under development


Automatic AST generation

OVERTUREAST spec

(VDM-SL subset)ASTGEN sed script

JAVAinterfaces

VDM++classes

VDMTools

javaclasses

sed

modified javaclasses“implements”● specified in VDM++

● code generated

other users can use these specs to specify their own OVERTURE extensions (in VDM++)


Tracefile Viewer (1)






The Overture/Eclipse Initiative

Vision for the future


VDMTools future

• IFAD went bankrupt April 2004• CSK (mother company for JFITS) from Japan bought

the IPR for VDMTools from the bankruptcy• VDMTools executable and documentation is available

again• Academic version

• Non-commercial version

• Commercial version

• All freely available!!

• A new book on VDM++ was released

January 2005


Extending VDM++ with better support for distributed real-time

• Today embedded real-time systems are increasingly distributed

• Hard to master complexity within tight time schedules• Current research work extend VDM++ with better

support for describing and analyzing this• Possibility to use CPU’s and BUS’es inside system• Deployment of objects to CPUs• Setting priorities of operations• Introduction of asynchronous operations• Cycles statement in addition to duration statement


Combining with continuous time


An email from an old (very good) student

… At that time I understood that a formal specification would be an advantage for big projects but I had no idea how desperately this is also needed in smaller projects when there are many people involved. Today I do know:

At the moment I am working at BMW in the communications department. We work on the integration of the car telephone (including a telematics unit with GPS coordinates) into the overall car. There is a lot of interaction between the telephone and the HMI of the car and there are different versions and types of all the involved devices. There are also five companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who develop the different units. The system should not be so complex because many of the devices should (!) behave similarly. But the specifications we write are English plain text (hundreds of pages), in our department more than 10 people are involved and we do not know anymore how the devices will behave ourselves...every external company has an own interpretation of the specs and this interpretation changes over time. If you ask the same person twice you get different answers (I frankly admit that I am no exception)... You can imagine how "efficient" everything is and its a miracle that the system still works (with a number of bugs though)...


Go out and use the principles at least!

march 2007tools for vdm in industry1 peter gorm larsen

Documents

practical work vdm

military tools

csk vdmsl toolbox experience

coding slide

reliability slide

future slide

security gateway tools

safety dust explosives