semantics in practice dr peter gorm larsen associate professor university college of aarhus + pgl...

Semantics in Practice

Dr Peter Gorm LarsenDr Peter Gorm LarsenAssociate ProfessorAssociate Professor

University College of Aarhus +University College of Aarhus +PGL ConsultPGL [email protected]@iha.dk

Ingeniørhøjskolen i ÅrhusSlide 2

Personal Background• Theoretical Work

– VDM-SL Semantics (ISO standard)– VDM-SL Proof Rules (PhD work)

• More Practical Work– VDM and SA in combination– IFAD VDMTools– Transfer VDM to Industry– Intensive use Industrially

• Employed by– For 13 years: IFAD– For 3,5 years: Systematic– Now:

• University College of Aarhus and• PGL Consult



Overview of VDM Concepts

• Overview of VDM Tool Support

• Industrial usage of VDM


Vienna Development Method

• VDM-SL and VDM++– ISO Standardisation of VDM-SL– VDM++ is an object-oriented extension

• Model-oriented specification:– Simple, abstract data types– Invariants to restrict membership– Functional specification:

• Referentially transparent functions• Operations with side effects on state variables • Implicit specification (pre/post)• Explicit specification (functional or imperative)


VDM++ Overview

• Access Modifiers and Constructors

• Instance Variables

• Types

• Functions

• Expressions,Patterns,Bindings

• Operations

• Statements

• Concurrency


Concurrency Primitives in VDM++

• Concurrency in VDM++ is based on threads• Threads communicate using shared objects• Synchronization on shared objects is specified

using permission predicates– A permission predicate describes when an operation

call may be executed.– If a permission predicate is not satisfied, the operation

call blocks.




Overview of VDM Tool Support

• Industrial usage of VDM


What is VDMTools?

• The VDM-SL Toolbox• The VDM++ Toolbox• Different experimental extensions:

– Reverse engineering from Java to VDM++– PROSPER for proof support on top of VDM-SL– VICE for support for real-time systems


VDMTools® Overview

The Rose-VDM++ Link

Document Generator

Code Generators- C++, Java

Syntax & Type Checker

API (Corba), DL Facility

Interpreter (Debugger)

Integrity Checker


References, World-wide

FranceFranceAerospatiale Espace et DefenseAerospatiale Espace et DefenseDassault AviationDassault AviationDasssault ElectroniqueDasssault ElectroniqueCISI CEA et DefenseCISI CEA et DefenseCEA LetiCEA LetiCap GeminiCap GeminiLAASLAASMatra Bae DynamicsMatra Bae Dynamics

U.K.U.K.British Aerospace Systems & British Aerospace Systems & EquipmentEquipmentBritish Aerospace DefenseBritish Aerospace DefenseAdelardAdelardICL Enterprise EngineeringICL Enterprise EngineeringRolls RoyceRolls RoyceTransitive TechnologiesTransitive Technologies

ItalyItalyENEAENEAAnsaldoAnsaldo

The NetherlandsThe NetherlandsDutch Dept. of DefenceDutch Dept. of DefenceOriginOriginChessChess

PortugalPortugalSidereusSidereus

DenmarkDenmarkBaan NordicBaan NordicOdense Steel ShipyardOdense Steel ShipyardDDC InternationalDDC International

North AmericaNorth AmericaBoeingBoeingRockwell CollinsRockwell CollinsLockheed MartinLockheed MartinDDC-I, Inc.DDC-I, Inc.Rational Software Corp.Rational Software Corp.Formal Systems Inc.Formal Systems Inc.Concordia UniversityConcordia University

JapanJapanRTRI (Japan Railways)RTRI (Japan Railways)JFITSJFITS

GermanyGermanyGAO mbHGAO mbH

More than 150 clients world-wide in 2001




Overview of VDM Tool Support

Industrial usage of VDM


ConForm (1994)• Organisation: British Aerospace (UK)• Domain: Security (gateway)• Tools: The IFAD VDM-SL Toolbox

• Experience:

– Prevented propagation of error

– Successful technology transfer

– At least 4 more applications without support

• Statements:

– “Engineers can learn the technique in one week”

– “VDMTools can be integrated gradually into a traditional existing development process”


DustExpert (1995-7)• Organisation: Adelard (UK)• Domain: Safety (dust explosives)• Tools: The IFAD VDM-SL Toolbox • Experience:

– Delivered on time at expected cost

– Large VDM-SL specification

– Testing support valuable

• Statement:

– “Using VDMTools we have achieved a productivity and fault density far better than industry norms for safety related systems”


Adelard Metrics

• 31 faults in Prolog and C++ (< 1/kloc)• Most minor, only 1 safety-related• 1 (small) design error, rest in coding

Initial requirements 450 pages

VDM specification 16kloc (31 modules)12kloc (excl comments)

Prologimplementation

37kloc16kloc (excl comments)

C++ GUIimplementation

23kloc18kloc (excl comments)


CAVA (1998-2000)• Organisation: Baan (Denmark)

• Domain: Constraint solver (Sales Configuration)

• Tools: The IFAD VDM-SL Toolbox

• Experience:

– Common understanding

– Faster route to prototype

– Earlier testing

• Statement:

– “VDMTools has been used in order to increase quality and reduce development risks on high complexity products”


Dutch DoD (1997-8)

• Organisation: Origin, The Netherlands

• Domain: Military


• Experience:

– Higher level of assurance

– Mastering of complexity

– Delivered at expected cost and on schedule

– No errors detected in code after delivery

• Statement:

– “We chose VDMTools because of high demands on maintainability, adaptability and reliability”


DoD, NL Metrics (1)

• Estimated 12 C++ loc/h with manual coding!

kloc hours loc/hour

spec 15 1196 13

manual impl 4 471 8.5

automatic impl 90 0 NA

test NA 612 NA

total code 94 2279 41.2totAL


DoD - Comparative Metrics

CODING TESTING

CODING TESTINGANALYSIS &

DESIGN

Traditional:Traditional:

VDMToolsVDMTools®®::

CostCost

ANALYSIS & DESIGN

900900 20002000 700700

12001200 500500 600600

0% 64%

100%


BPS 1000 (1997-)• Organisation: GAO, Germany• Domain: Bank note processing• Tools: The IFAD VDM-SL Toolbox• Experience:

– Better understanding of sensor data

– Errors identified in other code

– Savings on maintenance

• Statement:

– VDMTools provides unparalleled support for design abstraction ensuring quality and control throughout the development life cycle.


Flower Auction (1998) • Organisation: Chess, The Netherlands

• Domain: Financial transactions

• Tools: The IFAD VDM++ Toolbox

• Experience:

– Successful combination of UML and VDM++

– Use iterative process to gain client commitment

– Implementers did not even have a VDM course

• Statement:

– “The link between VDMTools and Rational Rose

is essential for understanding the UML diagrams”


SPOT 4 (1999)

• Organisation: CS-CI, France

• Domain: Space (payload for SPOT4 satellite)


• Experience:

– 38 % less lines of source code

– 36 % less overall effort

– Use of automatic C++ code generation

• Statement:

The cost of applying Formal methods is significantly lower than without them.


Japanese Railways (2000-2001)

• Domain: Railways (database and interlocking)

• Experience:

– Prototyping important

– Now also using it for ATC system

• Engineer working at IFAD for two years with PROSPER proof support


Stock-options (2000- )• Organisation: JFITS (CSK group company), Japan• Domain: Financial• Tools: The IFAD VDM++ Toolbox• Reason for CSK to purchase VDMTools

Tax exemption COCOMO Realized

Effort 38,5 person months 14 person months

Schedule 9 months 3,5 months

Options COCOMO Realized

Effort 147,2 person months 60,1 person months

Schedule 14,3 months 7 months


Reverse Engineering (2001)

• Organisation: Boeing• Domain: Avionics• Tools: The IFAD VDM++ Toolbox• Included development of Java to VDM++ reverse

engineering feature


Optimisation (2001)• Organisation: Transitive TechnologiesTransitive Technologies, UK, UK• Domain:EmbeddedDomain:Embedded• Tools: The IFAD VDM-SL ToolboxTools: The IFAD VDM-SL Toolbox• Making software independent of hardware Making software independent of hardware

platformplatform


Further Information• Applying Formal Specification in Industry. P.G. Larsen, J.

Fitzgerald and T. Brookes. Published in "IEEE Software" vol. 13, no. 3, May 1996

• A Lightweight Approach to Formal Methods S.Agerholm and P.G. Larsen. In Proceedings of the International Workshop on Current Trends in Applied Formal Methods, Boppard, Germany, Springer-Verlag, October 1998.

• Applications of VDM in Banknote Processing P. Smith and P.G. Larsen. + Application of VDM-SL to the Development of the SPOT4 Programming Messages Generator, A. Puccetti and J.Y. Tixadou + Formal Specification of an Auctioning System Using VDM++ and UML, M.Verhoef et. al.

Published at the First VDM Workshop: VDM in Practice with the FM'99 Symposium, Toulouse, France, September 1999.


Go out and use the semantics principles at least!

Semantic


An email from a former (very good) student… At that time I understood that a formal specification would be an

advantage for big projects but I had no idea how desperately this is also needed in smaller projects when there are many people involved. Today I do know:

At the moment I am working at BMW in the communications department. We work on the integration of the car telephone (including a telematics unit with GPS coordinates) into the overall car. There is a lot of interaction between the telephone and the HMI of the car and there are different versions and types of all the involved devices. There are also five companies (BMW, Motorola, Siemens VDO, Harmann-becker, Alpine) who develop the different units. The system should not be so complex because many of the devices should (!) behave similarly. But the specifications we write are English plain text (hundreds of pages), in our department more than 10 people are involved and we do not know anymore how the devices will behave ourselves...every external company has an own interpretation of the specs and this interpretation changes over time. If you ask the same person twice you get different answers (I frankly admit that I am no exception)... You can imagine how "efficient" everything is and its a miracle that the system still works (with a number of bugs though)...

semantics in practice dr peter gorm larsen associate professor university college of aarhus + pgl...

Documents

rhus slide

sl vdm

imperative slide

vdm class

vdm concurrency

pgl consult slide

set expert

practical work vdm