Introduction to Formal Methods Based on Jeannette M. Wing. A Specifier's Introduction to Formal Methods. IEEE Computer, 23(9):8-24, September,

Outline Definition of formal methods and specification languages Pragmatics of formal specifications Examples: Z, VDM, Larch, temporal logic, CSP, transition axioms 2

In-class: Read page 8 (10 mins) Q: What are formal methods At what stages of system development can formal methods be used? Some advantages of formal specifications? 3

Formal Methods Definition: Formal Methods Mathematically based techniques that describe system properties, from which, people can systematically specify, develop, and verify systems. The mathematical foundation allows for a concise and unambiguous definition of notions such as: –Consistency –Completeness –Specification –Implementation –Correctness Because the semantics are formally defined, they are amenable to machine analysis and manipulation. 4

Formal Methods Can be used to specify: –behavioral properties –structural properties –pragmatic considerations, e.g. response time Applicable at all phases of the software lifecycle. –Requirements analysis –Design –V & V –Documentation –Analysis and evaluation 5

In-class: Read pages Q1: Three elements of formal specification languages? Q2: Example semantic domains? Q3: Why an “abstract satisfies relation” on top of the “satisfies” relation? 6

Formal Specification Language Triple, –Syn: language’s syntactic domain, a set –Sem: language’s semantic, a set –Sat: a satisfies relation between Syn and Sem, a subset of Syn X Sem Given –If Sat(syn, sem), syn is a specification of sem and sem is a specificand of syn. Given –The specificand set of all specifications syn in Syn is the set of all specificands sem in Sem such that Sat(syn, sem). –I.e., Sat doesn’t have to be a function; but why? –Q: Any other properties of Sat? 7

Syntactic Domains Defined as a set of symbols and grammatical rules –Symbols can be constants, variables, and logical connectives –Grammatical rules define how to combine the symbols into well formed sentences –E.g.,  x.P(x)  Q(x) A syntactic domain need not be restricted to text –Symbols can include boxes, circles, lines, arrows, etc. –A possible rule could be that “an arrow must be connected at both ends to a box” Essentially, the syntactic domain is the set of all possible well formed specifications that can be expressed using the symbols, whether textual or graphical. 8

Semantic Domains Semantic domain –Set of objects in the universe of what the language can describe; i.e., meanings or interpretations. Examples –ADTs languages: Algebras, theories, programs –Concurrent/Distributed: State sequences, event sequences, state and transition sequences, streams, synchronization trees, partial orders, state machines –Programming languages: Functions from input to output, computations, predicate transformers, machine instructions If semantic domain is over programs: –Implements for satisfies –implementation for specificand 9

Satisfies Relation Often need to specify different aspects of a single specificand (various abstractions), e.g., –Functional behavior of a collection of program modules –Structural relationships between the modules Abstraction function for different views –A semantic abstraction function maps elements of the semantic domain into equivalence classes –A partition of the semantic domains Abstract satisfies relation between specs and equivalence classes of semantic domains 10

Abstract Satisfies Relation Java Methods all methods that sort arrays all methods that use the set class 11

Abstract Satisfies Relation Two broad classes of abstraction functions: –Those that abstract preserving behavior –Those that abstract preserving structure Behavioral specifications –Constraints on observed behavior –Functionality such as a mapping from inputs to outputs (Cleanroom) –Other aspects such as fault tolerance, safety, security, response time, and space efficiency. Structural specifications –Constraints on the internal composition of specificands –Capture hierarchical and uses relations –Denoted by call graphs, data dependency diagrams, etc. 12

Properties of Specifications Unambiguous –Given, a spec. syn is unambiguous if Sat maps syn to exactly one specificand set. Consistent –Given, a spec. syn is consistent if Sat maps syn to a non- empty specificand set. Complete vs. incomplete (or loose specifications) –More complete: implementation bias and less freedom –Less complete: more freedom to programmer and less restrictive 13

Proving properties of Specificands Most formal methods include a language that has a well- defined logical inference engine. When you prove a specification inferable from the the set of facts (other specs), you prove a property that a specificand satisfying the facts (other specs) will have. –Soundness vs. completeness If users are able to prove a surprising result, then perhaps the base specifications are wrong. 14

Pragmatics Users –Writers –Readers Use Characteristics 15

Use of Formal Methods Formal methods can be applied to all phases of system development, e.g., throughout development lifecycle Requirements –Clarify customer’s stated requirements –Crystallize vague ideas –Aid communication between engineer and client, e.g., English to spec / spec to English tools Design –Aids in decomposition, e.g., by formally specify interfaces between modules –Aids in refinement, e.g., by ensuring that different levels of abstractions all satisfy a parent specification 16

Use of Formal Methods Verification and validation –Guide the building of test cases, e.g., black-box testing –Verify the critical sections of implementation Documentation –More precise and concise than natural language Analysis and evaluation –Serve as reference point between what the customer wanted and what was implemented –Can be used to find bugs in existing systems that weren’t developed using formal methods 17

Characteristics of FMs Model-oriented –Define a system’s behavior directly by constructing a model –Model in terms of mathematical structures such as sets, functions, relations, and sequences –Use model to show correctness with respect to specifications –E.g., Sequential and ADT: Z, VDM Concurrent and distributed: Petri net, CCS, CSP Property-oriented –Define a system behavior indirectly by stating a set of properties that the system must satisfy –Properties in the form of axioms –E.g., Larch, OBJ, Clear, ACT ONE 18

Characteristics of FMs Visual languages –HIPO, Structured design, Software Requirements Engineering Method Executable –OBJ, Prolog –Q: Should a formal specification language be executable? Tool-supported –Model-checking tools: EMC –Proof-checking tools: Boyer-Moore Theorem Prover, FDM,HDM, m-EVES, HOL, LCF, OBJ 19

Language Examples (Symbol Table in Z and VDM) 20

Symbol Table – Larch 21 Larch/CLU LSL

Concurrency - Temporal Logic 22 Based on temporal operators such as: –  P: In all future state –  P: in some future state –OP: in the next state Q: Meanings of (1)-(4)? Notation: event of placing message m on channel c.

Temporal Logic (1) Any message transmitted to the right channel must have been previously placed on the left channel (2) Messages are transmitted first in, first out (3) All messages are unique (4) Each incoming message will eventually be transmitted 23

Concurrency – Communicating Sequential Process (CSP) Based on a model of traces or event sequences, and assumes processes communicate by sending messages. 24 prefixrefusal set: refuse to communicate ??

Concurrency – Transition Axiom 25 Axioms for operations Temporal logic for properties

Summary Differences among formal methods –notation, semantic domain, definition of the satisfies relation But, same purpose –Let system developers couch their ideas precisely –I.e., provide a way to specify and verify programs in order to provide a deeper understanding of a system for clients, designers, implementers, and testers. 26