Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Quantum Solutions, 1995-2002 0 Formal Methods in Software Engineering A Short Course on When, Why, and How to use Formal Methods in Software Engineering.

Published byBrandon Janney Modified over 9 years ago

Similar presentations

Presentation on theme: "© Quantum Solutions, 1995-2002 0 Formal Methods in Software Engineering A Short Course on When, Why, and How to use Formal Methods in Software Engineering."— Presentation transcript:

1 © Quantum Solutions, 1995-2002 0 Formal Methods in Software Engineering A Short Course on When, Why, and How to use Formal Methods in Software Engineering Richard Wallace Sr. Partner, Quantum Solutions 2/5

2 © Quantum Solutions, 1995-2002 1 Course Outline Foundations, Part 1  Introduction to the Introduction  Introduction  Who needs this? (need)  When did this get created? (history) Foundations, Part 2  What is this Greek? (notation)  Why can’t I just code? (methods) Tools, Part 3  Where are the quill pens and chalkboards? (basic tools)  How do I get a computer to do this? (IDE) Application, Part 4  Military/Aerospace  Communications Practical Issues, Part 5  Educating Program Managers  Operational Considerations for the Customer  Schedules – or – When is it good enough  Lies, Damn lies, and Formal Methods!

3 © Quantum Solutions, 1995-2002 2 It’s Greek to Me (Notation) It is mathematics, you’ve seen it before  The difference of dx / dt and  t ? They are both symbols that have specific meaning The notation is not novel, new, or hard to understand It’s more about the semantic content than the symbology Remember this from the first session?  Be able to express what is done without saying how it is done (i.e., non-procedural)

4 © Quantum Solutions, 1995-2002 3 Notation Good notation makes the difference between a transparent interaction, where the actual problem dominates the user's attention, and a nightmare, where the user cannot get the system to do what he wants, and doesn’t understand what the system “thinks it's doing.” We are talking about a “ Begriffsschrift” auf Deutsch is a “formula language” and it is also the title of a short book on logic by Gottlob Frege, published in 1879, and is also the name of the formal system set out in that book. Begriffsschrift is usually translated as concept writing or concept notation, modelled on that of arithmetic, of pure thought. The Begriffsschrift was arguably the most important publication in logic since Aristotle founded the subject. Frege's motivation for developing his formal approach to logic resembled Leibniz's motivation for his calculus ratiocinator. Frege went on to employ his logical calculus in his research on the foundations of mathematics, carried out over the next quarter century.

5 © Quantum Solutions, 1995-2002 4 Notation Example Both of these aren’t hard and we’ve seen these over and over It’s easy because it is familiar

6 © Quantum Solutions, 1995-2002 5 Symbology Example (Propositions)1

7 © Quantum Solutions, 1995-2002 6 Symbology Example (Propositions)2

8 © Quantum Solutions, 1995-2002 7 Pitfalls

9 © Quantum Solutions, 1995-2002 8 Course Outline Foundations, Part 1  Introduction to the Introduction  Introduction  Who needs this? (need)  When did this get created? (history) Foundations, Part 2  What is this Greek? (notation)  Why can’t I just code? (methods) Tools, Part 3  Where are the quill pens and chalkboards? (basic tools)  How do I get a computer to do this? (IDE) Application, Part 4  Military/Aerospace  Communications Practical Issues, Part 5  Educating Program Managers  Operational Considerations for the Customer  Schedules – or – When is it good enough  Lies, Damn lies, and Formal Methods!

10 © Quantum Solutions, 1995-2002 9 Why can’t I just Code? Classic reasons  Systems have myriad interactions and do not control their environment as applications can  There has to be an overall design that can be assured to be correct because you can never test it all  No one person or small team (< 10) builds a system The increasing size and complexity of software, coupled with concurrency and distributed systems, has made apparent the ineffectiveness of using… tests. The misuse of code coverage and avoidance of random testing has exacerbated the problem. We must start again, beginning with good design – including dependency analysis – good static checking – including model property checking… The convergence of static analysis tools with formal methods is now providing powerful tools for ensuring high-quality units, and to some extent their integration. Too Darned Big to Test, AMC Queue – Quality Assurance, Vol. 3, No. 1 - February 2005,

11 © Quantum Solutions, 1995-2002 10 Even the Über-coder Hero Says “Design” “What Is Software Design: 13 Years Later,”Jack W. Reeves, 2005, www.developerdotstar.com Formal method notations can directly be processed into code representations

12 © Quantum Solutions, 1995-200211 Program Construction from Formal Specifications Briefing to South Carolina Research Authority (SCRA) Richard Wallace, Senior Consultant Quantum Solutions Prior Presentation to SCRA on 4/28/97

13 © Quantum Solutions, 1995-200212 Vision Statement n Given a valid specification a valid implementation can be constructed. n A System is thus “Correct by Design.” Prior Presentation to SCRA on 4/28/97

14 © Quantum Solutions, 1995-200213 Goals n Reduce System Cost. n Reduce Defects in delivered Product. n Reduce System Redesign Time. Prior Presentation to SCRA on 4/28/97

15 © Quantum Solutions, 1995-200214 Objective n An IDE for construction and proof of Formal Specifications. n Multiple back-end processing creating application specific implementations from Formal Specifications. Prior Presentation to SCRA on 4/28/97

16 © Quantum Solutions, 1995-200215 Situation Today n Tool plethora for aiding in construction of implementations. n Few tools for the construction of specifications. n Sparse commercial tools for proving formal specifications. Prior Presentation to SCRA on 4/28/97 There are now over 25 companies that supply tools… list coming up.

17 © Quantum Solutions, 1995-200216 Available Options n Design and Implementation Calculus notations. n Automated/Animated Simulators/ Implementation Notation Generators. n Proof Tools generating application specific implementations. Prior Presentation to SCRA on 4/28/97

18 © Quantum Solutions, 1995-200217 Working Definitions n Formal Specification u A concise description of behavior and properties written in a mathematically-based language allowing proof via accepted axioms and theorems. n Formal Proof u A series of steps which draws conclusions from a set of accepted axioms and theorems giving a complete argument for the validity of statements that describe a system. Prior Presentation to SCRA on 4/28/97

19 © Quantum Solutions, 1995-200218 Working Definitions (Cont.) n Specification Animator u Non-formal, “executables” providing high- level dynamic behavior of the specification. u The animation introduces temporal behavior. u Assists in verification of proof boundaries (temporal, dimensional, conditional). Prior Presentation to SCRA on 4/28/97

20 © Quantum Solutions, 1995-200219 Possible Notations... n Acl2 theorem prover, a successor to the Boyer-Moore theorem prover. Version 1.8 available now, 1.9 coming soon. n Action Semantics, a framework for specifying formal semantics of programming languages. n Algebraic Design Language, a higher-order software specification language. n Assertion Definition Language Translator (ADLT), a specification based testing tool-set. n Auto/Graph, model-based automatic verification of distributed communicating systems. n BDDs (Binary Decision Diagrams) for finite-state verification problems. n B-Method, including the B-Tool and B-Tool-kit. n Boyer-Moore theorem prover (a forerunner of Nqthm). Available via ICOT Free Software for use under Unix at ICOT (Japan), SICS (Sweden), GMD (Germany) and Univ. of Oregon (USA). n CCS (Calculus of Communicating Systems). An algebra for specifying and reasoning about concurrent systems. n Circal (CIRcuit CALculus) System supporting a process algebra which may be used to rigorously describe, verify and simulate concurrent systems. n COLD (Common Object-oriented Language for Design), a wide-spectrum specification language. n Concurrency Factory, a "next generation" Concurrency Workbench tool-kit. n Coq proof assistant. See also CtCoq, a working environment for the Coq project theorem prover. n COSPAN (COordinated SPecification ANalysis), a general- purpose rapid-prototyping tool, using the S/R (selection/resolution) language. n CSP (Communicating Sequential Processes) including the FDR tool. n CWB (Edinburgh Concurrency Workbench) automated toolset. See also the Concurrency Factory and n CWB-NC (The Concurrency Workbench of North Carolina), which includes a LOTOS interface, diagnostic infomation, etc. Note: The CWB and CWB-NC have a common ancestor, but are each under separate development. n DisCo specification method for reactive systems including a tool developed at the Tampere University of Technology, Finland. n Estelle: EDT (Estelle Development Toolset) and example specifications. n Esterel language and tools for synchronous reactive systems, including verification support. Prior Presentation to SCRA on 4/28/97

21 © Quantum Solutions, 1995-200220 Possible Notations (Cont.) n EVES tool, based on ZF set theory, from ORA, Canada. See also Z/EVES which provides a Z front-end to EVES. Both are now available for on-line distribution. n Evolving Algebras, University of Michigan, USA. See also here, University of Paderborn, Germany. n Extended ML framework for the specification and formal development of modular Standard ML programs. n GIL, a graphical interval logic tool. See also publications by Laura Dillon). n HOL mechanical theorem proving system, based on Higher Order Logic. n HyTech (The HYbrid TECHnology Tool), an automatic tool for the analysis of embedded systems which computes the condition under which a linear hybrid system satisfies a temporal-logic requirement. n IMPS, an Interactive Mathematical Proof System intended to provide mechanical support for traditional mathematical techniques and styles of practice. n Isabelle. See also the Cambridge Automated Reasoning Group and FTP access including an index. n JAPE (Just Another Proof Editor) by Bernard Sufrin and Richard Bornat is available via anonymous FTP. See also MacOS JAPE. n KIV (Karlsruhe Interactive Verifier). A tool for the development of correct software using stepwise refinement. n LAMBDA toolset from Abstract Hardware Ltd, UK, supports formal verification for hardware/software co-design. n Larch and LP ( Larch Prover). See also DEC SRC's Larch Home Page and the Larch Project at CMU. The Larch tool set (look at the README file first) is available. n LeanTaP, a tableau-based deduction theorem prover for classical first-order logic. n LEGO proof assistant. n LOTOS (Language of Temporal Ordering Specifications). See also information from Madrid, Ottawa and Stirling. n Lustre synchronous declarative language for programming reactive systems, including verification. n Maintainer's Assistant, a tool for reverse engineering and re- engineering code using formal methods. n Meije tools for the verification of concurrent programs. Includes ATG, a graphical editor/visualizer. n Mizar tool, a long-term effort aimed at developing software to support a working mathematician in preparing papers. Prior Presentation to SCRA on 4/28/97

22 © Quantum Solutions, 1995-200221 Possible Notations (Cont.) n Model Checking at CMU, a method for formally verifying finite-state concurrent systems. Available packages include: BDD library with extensions for sequential verification. CV, a VHDL model checker. CSML and MCB, a language for compositional description of finite state machines and a (non- symbolic) model checker for CTL. n SMV (Symbolic Model Verifier) model checker for finite-state systems, using the specification language CTL (Computation Tree Logic), a propositional branching-time temporal logic. See also Word-level SMV for verifying arithmetic circuits efficiently. n Mural tool to aid formal reasoning about specifications including a proof assistant and VDM support. See also the Mural Project. n Murphi description language and verifier tool for finite-state verification of concurrent systems. n Nqthm theorem prover and the Pc-Nqthm interactive ``Proof- checker'' enhancement of the Boyer-Moore Theorem Prover from Computational Logic Inc. See also Nqthm users Gopher information. n Nuprl tool based on intuitionistic type theory. n OBJ - OBJ3 and 2OBJ. n Otter, an automated deduction system. n Petri Nets, a formal graphical notation for modelling systems with concurrency. See also conferences and tools. n Pi-calculus, a calculus for mobile processes. See also papers by Robin Milner et al. and the Mobility Workbench (see information and a BibTeX bibliography). n Pobl. A development method for concurrent object-based programs. n ProofPower is a commercial tool, developed by ICL, supporting development and checking of specifications and formal proofs in Higher Order Logic and/or Z. Support for Z uses a deep(ish) embedding of Z into HOL, but includes syntax and type checking customized for Z. n Prover Technology, NPL, for automated proof by modelling systems in propositional logic using a unique patented algorithm. n PVS (Prototype Verification System) tool based on classical typed higher-order logic developed at the SRI International Computer Science Laboratory. n RAISE language and tools from CRI, Denmark. n Rapide language and toolset, for building large-scale distributed multi-language systems. n Refinement Calculus by Ralph Back et al.. n SDL (Specification and Description Language) from the SDL Forum Society. See also previous site here. n SPARK secure subset of Ada, including SPARK Examiner tool for program analysis and verification. Prior Presentation to SCRA on 4/28/97

23 © Quantum Solutions, 1995-200222 Possible Notations (Cont.) n SPIN is an automated verification tool (model checker), using a language based on CSP, for finite state systems, such as protocols or validation models of distributed systems, developed at AT&T Bell Labs. n STeP, the Stanford Temporal Prover. n TAM. The Temporal Agent Model from the Real-Time Systems Research Group at York University. n TLA (Temporal Logic of Actions) has tool support. n TPS and ETPS, the Theorem Proving System and the Educational Theorem Proving System. n TRIO language and tools for real-time systems, based on temporal logic. n TTM/RTTL framework for real-time reactive systems. n UNITY, a programming notation and a logic to reason about parallel and distributed programs. n UPPAAL verification and validation tools for real-time systems. Model checking and simulation with a graphical interface. n VDM (Vienna Development Method). See also the Mural tool, VDM text books, VDM++ object-oriented extension, and VDM forum mailing list. n VIS (Verification Interacting with Synthesis), a system for formal verification, synthesis, and simulation of finite state systems, especially logic circuits. Includes a Verilog HDL front-end. n Z notation for formal specification. Prior Presentation to SCRA on 4/28/97

24 © Quantum Solutions, 1995-200223 Commercial Companies... n Abstract Hardware Limited, Uxbridge, Middlesex, UK. Products including the LAMBDA system synthesis tool set and PolyML, a commercially supported version of Standard ML. Services include training courses and consultancy. n Adelard, London, UK. Consultancy in the areas of: development, verification and assessment; safety cases; standards and guidelines; training and technology transfer. n B-Core (UK) Limited, Oxford, UK. B-Tool-kit, based on the B- Tool. n BT Laboratories, Martlesham, Ipswich, UK. Formal Methods Group. n Cap Volmac, Utrecht, The Netherlands. VDM++ language and tools. n Chrysalis Symbolic Design, Inc., North Billerica, MA, USA. Produces software for creating and verifying electronic circuits and systems. Products include Symbolic Logic(tm) technology to help with formal verification. n COMPASS Design Automation, San Jose, CA, USA. VHDL formal verification tool for electronics design automation (EDA). See the interactive tour of the VFormal product. n Computational Logic Inc., Austin, Texas, USA. Nqthm and Pc-Nqthm theorem proving tools. Hardware verification including the FM9001 microprocessor. n CRI, Denmark. RAISE language and tools. n CVI (Dutch Rail Automation), Utrecht, The Netherlands. n Computer Science Consultancy, UK. fuzz - Z type-checker tool. n Digilog, France. Atelier B tool supporting the B-Method. n DST (Deutsche System-Technik GmbH), Kiel, Germany. DST fUZZ - Z tool. n Edinburgh Portable Compilers Ltd., UK. B-Tool. n Formal Systems (Europe) Ltd., Oxford, UK. FDR tool for CSP model checking. n GEC Alsthom, Paris, France. Users of the B-Tool. n Harlequin, Australia / UK / USA. Consultancy including formal software engineering and reasoning systems. n IBM Hursley Park, UK. n Technology Center, Clear Lake, Texas USA. n IFAD, Odense, Denmark. Products include the VDM Toolbox and VDM to C++ Code Generator. n Inmos, Bristol, UK. (now SGS-Thomson Microelectronics) n IST (Imperial Software Technology Ltd), Reading, UK. (Also Cambridge, London, and Palo Alto, USA.) Software engineering company, including an Advanced Technology Group specializing in the application of formal methods for high-integrity and secure systems. Products include Zola, an integrated editor, type-checker and prover for the Z notation. Prior Presentation to SCRA on 4/28/97

25 © Quantum Solutions, 1995-200224 Commercial Companies (Cont.) n Kestrel Institute, California, USA. Undertakes research in applying formal methods and automated reasoning systems to software engineering. n K&M Technologies Limited, Dublin, Ireland. Industrial exploitation of the Irish School of the VDM, etc. n Lloyds Register, Croydon, UK. n Logica UK Limited. Formal methods tools and services, including the Formaliser Z type-checker. n Logikkonsult NP AB, Sweden. Products include Prover (a theorem prover for propositional logic extended with finite integer arithmetic) and NP-Tools (a framework for mathematically proving safety properties). n ORA, Ottawa, Canada. EVES tool. n Philips GmbH Forschungslaboratorien, Aachen, Germany. n Praxis, Bath, UK. Praxis Critical Systems have skills in formal specification, static analysis, safety engineering. Products include SPARK language and tool support for program verification. n Program Validation Limited, UK. (now Praxis Critical Systems) n Research Access Inc., USA. Specification and verification documents. n RWTÜV Anlagentechnik, Germany. n SRI, Menlo Park, California, USA. Also, Cambridge, UK. Formal methods information and PVS tool. n Telelogic AB, Malmö, Sweden. Products include SDT, a software engineering toolset based on SDL, and the ITEX test suite tool. n Verilog, USA. See also France. Products include the ObjectGEODE toolset, based on the OMT, SDL and MSC standards notations, dedicated to analysis, design, verification and validation through simulation, code generation and testing of real-time and distributed applications. Prior Presentation to SCRA on 4/28/97 2007 update: ORA closed

26 © Quantum Solutions, 1995-200225 Which to Use? n Dependent on level of risk. n Dependent on client sophistication. n Dependent on implementation desired. Prior Presentation to SCRA on 4/28/97

27 © Quantum Solutions, 1995-200226 Any “Silver Bullet?” n Universal tool for all Formal Specification u None exists. u Formal Methods do not guarantee a perfect product. u “…mathematical rigour cannot eliminate mistakes entirely. All it can do is reduce their likelihood -- drastically.” (Carroll Morgan, Oxford PRG) Prior Presentation to SCRA on 4/28/97

28 © Quantum Solutions, 1995-200227 u Based on F Z/EVES & B F ST e P & CSP F Concurrency Factory. u GUI for non-code notations and animation. u Must have multiple implementation generators. u Must have animator for all implementations. u System decomposer using incremental system proofs. Commercial Formal Methods Future: Commercial Formal Methods Prior Presentation to SCRA on 4/28/97 Today, ACL2, PVS, CZT (Z) and their entourage of proof tools

29 © Quantum Solutions, 1995-2002 28 Formal Methods to Procedural Code 1 Carroll Morgan’s Programming from Specifications, Second Edition 1998  Provides a calculus to go from specification to an Algol/BCPL based language  Forwards and backwards from specification to code and code to specification

30 © Quantum Solutions, 1995-2002 29 Morgan’s Calculus As a calculus, there is no set “tool” or tool suite that is used as the calculus can be applied to any particular notation (we just saw 70 of them!) Several Z tools are using this calculus. With the advent of model checking (hardware descriptions) the calculus is seeing more use

31 © Quantum Solutions, 1995-2002 30 Formal Methods to Procedural Code 2 Larch  The Larch family of languages supports a two-tiered, definitional style of specification. One language that is designed for a specific programming language, Larch Interface Language (LIL) and another language that is independent of any programming language, Larch Shared Language (LSL).  LILs are bounded to Ada, C, C++, CLU, CORBA, ML, Modula-3, VHDL, and Smalltalk. There are also "generic" Larch interface languages that can be specialized for particular programming languages or used to specify interfaces between programs in different languages.

32 © Quantum Solutions, 1995-2002 31 Languages & notations… À la fin c'est tout le pareil Don’t fight over which “color” to use Pick a color and start drawing!

Download ppt "© Quantum Solutions, 1995-2002 0 Formal Methods in Software Engineering A Short Course on When, Why, and How to use Formal Methods in Software Engineering."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
25 February 2009Instructor: Tasneem Darwish1 University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department.

25 February 2009Instructor: Tasneem Darwish1 University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department.
LIFE CYCLE MODELS FORMAL TRANSFORMATION

LIFE CYCLE MODELS FORMAL TRANSFORMATION
Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.

Case Tools Trisha Cummings. Our Definition of CASE  CASE is the use of computer-based support in the software development process.  A CASE tool is a.
VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.

VIDE als voortzetting van Cocktail SET Seminar 11 september 2008 Dr. ir. Michael Franssen.
Presenter: PCLee – 2011.03.02. This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)

CLF: A Concurrent Logical Framework David Walker Princeton (with I. Cervesato, F. Pfenning, K. Watkins)
Formal Methods: Z CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 18, 2003.

Formal Methods: Z CS 415, Software Engineering II Mark Ardis, Rose-Hulman Institute March 18, 2003.
Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.

Train Control Language Teaching Computers Interlocking By: J. Endresen, E. Carlson, T. Moen1, K. J. Alme, Haugen, G. K. Olsen & A. Svendsen Synthesizing.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.

Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.
Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2007 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Chapter 1 Principles of Programming and Software Engineering.

Chapter 1 Principles of Programming and Software Engineering.

Similar presentations

Ads by Google